CVE-2026-43099 Overview
CVE-2026-43099 is a null pointer dereference vulnerability in the Linux kernel's IPv4 ICMP subsystem. The flaw resides in the icmp_build_probe() function within the kernel networking stack. When the IPv6 stack is built as a module (CONFIG_IPV6=m) and not loaded, ipv6_stub->ipv6_dev_find() returns ERR_PTR(-EAFNOSUPPORT). The code then passes this error pointer directly to dev_hold(), triggering a kernel crash. The condition is reachable through ICMP Extended Echo (probe) requests defined in RFC 8335 that include an IPv6 interface identifier. The issue affects Linux systems where IPv6 is configured as a non-loaded module.
Critical Impact
An attacker able to deliver a crafted ICMP Extended Echo probe can crash the kernel, producing a denial of service on hosts running with IPv6 compiled as an unloaded module.
Affected Products
- Linux kernel branches receiving fixes in commits 47a8bf5, 5b99115, 6be3252, f91b3ed, and fde29fd
- Systems built with CONFIG_IPV6=m where the ipv6 module is not loaded
- Hosts processing ICMP Extended Echo (probe) requests per RFC 8335
Discovery Timeline
- 2026-05-06 - CVE-2026-43099 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43099
Vulnerability Analysis
The defect is a [CWE-476] null pointer dereference in the IPv4 ICMP probe handler. RFC 8335 defines ICMP Extended Echo Request, allowing a sender to query interface state by name, ifIndex, or address, including IPv6 interface identifiers. The kernel resolves IPv6 identifiers through the ipv6_stub indirection layer, which provides callable hooks into the IPv6 module when it is loaded. When CONFIG_IPV6=m is set and the module has not been loaded, the stub returns ERR_PTR(-EAFNOSUPPORT) rather than a valid net_device pointer. The calling code in icmp_build_probe() did not check for an error pointer before invoking dev_hold(), which dereferences the pointer to manipulate the device reference count. This dereference of a non-canonical error-pointer address triggers an oops and panics the affected CPU path.
Root Cause
The root cause is missing error-pointer validation between ipv6_stub->ipv6_dev_find() and dev_hold(). Linux kernel convention requires callers to check return values with IS_ERR() before treating them as valid pointers. The original implementation assumed a successful lookup or NULL, but the stub layer can also return ERR_PTR(-EAFNOSUPPORT) when the IPv6 module is absent at runtime.
Attack Vector
The attack vector is network-based ICMP traffic. An adversary capable of sending ICMP Extended Echo Requests to a vulnerable host can craft a probe carrying an IPv6 interface identifier. When the host receives the probe with IPv6 unloaded, processing reaches the unguarded dev_hold() call and the kernel crashes. The fix discards such requests silently rather than returning a misleading "No Such Interface" response.
No verified public exploit code is available. The vulnerability mechanism is documented in the upstream commits referenced under Kernel Git Commit 47a8bf5 and Kernel Git Commit fde29fd.
Detection Methods for CVE-2026-43099
Indicators of Compromise
- Kernel oops messages referencing icmp_build_probe or dev_hold in dmesg and /var/log/kern.log
- Unexpected host reboots or panics correlated with inbound ICMP type 42 (Extended Echo Request) traffic
- Crash dumps showing fault addresses consistent with ERR_PTR(-EAFNOSUPPORT) (low negative values)
Detection Strategies
- Inspect kernel build configuration for CONFIG_IPV6=m combined with the ipv6 module being absent from lsmod output
- Capture and decode ICMPv4 traffic for type 42 Extended Echo Requests carrying IPv6 interface identifier objects
- Correlate kernel panic events with preceding ICMP probe packets at the network ingress layer
Monitoring Recommendations
- Forward kernel.* syslog facility entries to a centralized log platform and alert on repeated BUG: or Oops: strings
- Monitor ICMP type 42 ingress rates at perimeter and internal gateways for anomalous spikes
- Track host availability metrics for unexplained reboots on Linux systems where IPv6 is modular
How to Mitigate CVE-2026-43099
Immediate Actions Required
- Apply the upstream stable kernel updates corresponding to your distribution and reboot the affected hosts
- For systems that cannot be patched immediately, load the ipv6 module so that ipv6_dev_find() returns valid pointers instead of ERR_PTR(-EAFNOSUPPORT)
- Block or rate-limit inbound ICMP Extended Echo Requests (type 42) at perimeter firewalls
Patch Information
The fix adds an IS_ERR() check on the return value of ipv6_stub->ipv6_dev_find() and silently discards the request when the IPv6 stack is unavailable. Patches are available in upstream stable trees via Kernel Git Commit 47a8bf5, Kernel Git Commit 5b99115, Kernel Git Commit 6be3252, Kernel Git Commit f91b3ed, and Kernel Git Commit fde29fd. Consume the patch through your distribution's kernel update channel where possible.
Workarounds
- Load the ipv6 kernel module with modprobe ipv6 so the stub resolves to valid functions
- Drop inbound ICMP type 42 packets using iptables or nftables until the kernel update is applied
- Disable ICMP probe response handling on hosts that do not require RFC 8335 functionality
# Configuration example: load ipv6 and block ICMP Extended Echo Requests
sudo modprobe ipv6
sudo iptables -A INPUT -p icmp --icmp-type 42 -j DROP
sudo nft add rule inet filter input icmp type 42 drop
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
