CVE-2026-23293
Description
In the Linux kernel, the following vulnerability has been resolved:
net: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled
When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never initialized because inet6_init() exits before ndisc_init() is called which initializes it. If an IPv6 packet is injected into the interface, route_shortcircuit() is called and a NULL pointer dereference happens on neigh_lookup().
BUG: kernel NULL pointer dereference, address: 0000000000000380 Oops: Oops: 0000 [#1] SMP NOPTI [...] RIP: 0010:neigh_lookup+0x20/0x270 [...] Call Trace:
vxlan_xmit+0x638/0x1ef0 [vxlan] dev_hard_start_xmit+0x9e/0x2e0 __dev_queue_xmit+0xbee/0x14e0 packet_sendmsg+0x116f/0x1930 __sys_sendto+0x1f5/0x200 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x12f/0x1590 entry_SYSCALL_64_after_hwframe+0x76/0x7e
Fix this by adding an early check on route_shortcircuit() when protocol is ETH_P_IPV6. Note that ipv6_mod_enabled() cannot be used here because VXLAN can be built-in even when IPv6 is built as a module.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
VXLAN in the Linux kernel crashes with a NULL pointer dereference when IPv6 is disabled and an IPv6 packet is processed.
Vulnerability
CVE-2026-23293 is a NULL pointer dereference vulnerability in the Linux kernel's VXLAN implementation. When the kernel is booted with the ipv6.disable=1 parameter, the IPv6 neighbor discovery table (nd_tbl) is never initialized because inet6_init() exits before ndisc_init() is called. If an IPv6 packet is then injected into a VXLAN interface, the route_shortcircuit() function calls neigh_lookup(), which dereferences the uninitialized nd_tbl, leading to a kernel crash.
Exploitation
An attacker can trigger this vulnerability by sending a crafted IPv6 packet to a VXLAN interface on a system that has IPv6 disabled at boot. No authentication is required, and the attack can be performed remotely if the VXLAN interface is reachable. The crash occurs in the vxlan_xmit function, as shown in the kernel panic trace.
Impact
Successful exploitation results in a denial of service (DoS) due to a kernel NULL pointer dereference, causing a system crash or reboot. The vulnerability does not allow privilege escalation or code execution, but it can be used to disrupt network services.
Mitigation
The fix adds an early check in route_shortcircuit() to return immediately when the protocol is ETH_P_IPV6 and IPv6 is disabled. The patch has been applied to the stable kernel tree [1][2][3][4]. Users should update their kernel to a version containing the fix. As a workaround, ensure IPv6 is enabled or filter IPv6 traffic at the network boundary.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/168ff39e4758897d2eee4756977d036d52884c7envd
- git.kernel.org/stable/c/5f93e6b4d12bd3a4517a6d447ea675f448f21434nvd
- git.kernel.org/stable/c/649e2bb74da54c96cf20729001e283626a2fefa0nvd
- git.kernel.org/stable/c/abcd48ecdeb2e12eccb8339a35534c757782afcdnvd
- git.kernel.org/stable/c/b5190fcd75a1f1785c766a8d1e44d3938e168f45nvd
- git.kernel.org/stable/c/dc3e62cf3bbf66280a907ec379f373d0c3b8b2bcnvd
- git.kernel.org/stable/c/f0373e9317bc904e7bdb123d3106fe4f3cea2fb7nvd
- git.kernel.org/stable/c/fbbd2118982c55fb9b0a753ae0cf7194e77149fbnvd
News mentions
0No linked articles in our index yet.