Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-23442

CVE-2026-23442: Linux Kernel NULL Pointer Vulnerability

CVE-2026-23442 is a NULL pointer dereference flaw in the Linux Kernel's IPv6 SRv6 implementation that can occur when devices lack IPv6 configuration. This article covers the technical details, affected systems, and patches.

Updated:

CVE-2026-23442 Overview

CVE-2026-23442 is a NULL pointer dereference vulnerability in the Linux kernel's IPv6 Segment Routing (SRv6) implementation. The flaw exists in the seg6_hmac_validate_skb() and ipv6_srh_rcv() functions, which fail to validate the return value of __in6_dev_get(). When a network device lacks IPv6 configuration, such as when the MTU is below IPV6_MIN_MTU or after a NETDEV_UNREGISTER event, __in6_dev_get() returns NULL. Subsequent dereference of this pointer triggers a kernel crash. The issue is classified under [CWE-476] and affects Linux kernel versions starting from 4.10 through several 7.0 release candidates.

Critical Impact

A local attacker with low privileges can trigger a kernel NULL pointer dereference in SRv6 processing paths, causing a denial of service through system crash.

Affected Products

  • Linux Kernel 4.10 and later stable releases
  • Linux Kernel 7.0-rc1 through 7.0-rc7
  • Distributions shipping kernels with CONFIG_IPV6_SEG6_LWTUNNEL or SRv6 HMAC support

Discovery Timeline

  • 2026-04-03 - CVE-2026-23442 published to NVD
  • 2026-04-27 - Last updated in NVD database

Technical Details for CVE-2026-23442

Vulnerability Analysis

The vulnerability resides in the IPv6 Segment Routing Header (SRH) processing logic of the Linux kernel networking stack. SRv6 is an IPv6 extension that allows packets to carry an ordered list of segments defining a forwarding path. Both the HMAC validation function seg6_hmac_validate_skb() and the SRH receive handler ipv6_srh_rcv() call __in6_dev_get() to retrieve the IPv6 device structure (inet6_dev) associated with an incoming packet's network device.

The affected functions used the returned idev pointer without verifying it was non-NULL. __in6_dev_get() legitimately returns NULL in two documented scenarios: when the device's MTU is smaller than IPV6_MIN_MTU (1280 bytes), and after the device has received a NETDEV_UNREGISTER notification. In both cases, dereferencing the pointer to access IPv6 configuration fields causes the kernel to crash with an oops.

Root Cause

The root cause is missing input validation on a kernel API return value. The SRv6 code path assumed __in6_dev_get() would always return a valid inet6_dev structure for any device receiving IPv6 packets. This assumption breaks when packets are processed concurrently with device state transitions or against interfaces configured with sub-minimum MTUs.

Attack Vector

Exploitation requires local access with low privileges. An attacker capable of sending crafted SRv6 packets to a vulnerable interface, or able to manipulate network device state (for example, lowering an interface MTU below 1280), can race packet reception against the IPv6 device teardown sequence. When the SRH handler processes a packet whose ingress device has no inet6_dev, the NULL dereference triggers a kernel panic, halting the affected system.

No synthetic proof-of-concept code is provided. The upstream fixes are available in the kernel git repository — see the Kernel Git Commit a25853c9 and related commits for the exact one-line NULL checks added before each dereference.

Detection Methods for CVE-2026-23442

Indicators of Compromise

  • Kernel oops or panic messages referencing seg6_hmac_validate_skb or ipv6_srh_rcv in dmesg or /var/log/kern.log
  • Unexpected system crashes correlated with IPv6 SRv6 traffic or interface MTU changes
  • Repeated NETDEV_UNREGISTER events occurring alongside inbound SRv6 packets

Detection Strategies

  • Monitor kernel ring buffer output for NULL pointer dereference signatures in IPv6 segment routing code paths
  • Audit running kernel version against the patched commits listed in the vendor advisories
  • Correlate host availability monitoring with SRv6 packet flows on edge routers and Linux-based network functions

Monitoring Recommendations

  • Enable kdump or equivalent crash collection to capture kernel core dumps for post-incident analysis
  • Track interface MTU configuration changes through configuration management and audit logs
  • Alert on unexpected reboots of Linux hosts running SRv6 workloads, including container hosts and network gateways

How to Mitigate CVE-2026-23442

Immediate Actions Required

  • Apply the upstream Linux kernel patches that add NULL checks for idev in both seg6_hmac_validate_skb() and ipv6_srh_rcv()
  • Update to the latest stable kernel release provided by your Linux distribution
  • Restrict local access to systems processing SRv6 traffic until patches are deployed

Patch Information

The fix adds explicit NULL checks for the idev pointer returned by __in6_dev_get() before any field access. Patched commits are available in the mainline and stable kernel trees: Kernel Git Commit 06413793, Kernel Git Commit a25853c9, and Kernel Git Commit bc9843c3. Additional backport commits are referenced in the Kernel Git Commit 50352fc1 and Kernel Git Commit c5cedee5 trees.

Workarounds

  • Disable SRv6 functionality where not required by setting net.ipv6.conf.all.seg6_enabled=0 and equivalent per-interface sysctls
  • Unload the seg6 and seg6_hmac kernel modules on hosts that do not require segment routing
  • Enforce minimum MTU policies to prevent interfaces from being configured below IPV6_MIN_MTU
bash
# Configuration example: disable SRv6 processing on all interfaces
sysctl -w net.ipv6.conf.all.seg6_enabled=0
sysctl -w net.ipv6.conf.default.seg6_enabled=0

# Verify modules are not loaded
lsmod | grep -E 'seg6|seg6_hmac'

# Optionally blacklist the modules
echo 'blacklist seg6_hmac' >> /etc/modprobe.d/disable-srv6.conf

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.