CVE-2026-43101 Overview
CVE-2026-43101 is a NULL pointer dereference vulnerability in the Linux kernel's IPv6 In-situ Operations, Administration, and Maintenance (IOAM) implementation. The flaw resides in the __ioam6_fill_trace_data() function, which fails to verify the return value of __in6_dev_get() before use. When __in6_dev_get() returns NULL, subsequent dereferences trigger a kernel crash. The fix also introduces skb_dst_dev_rcu() in place of skb_dst_dev() and adds two missing READ_ONCE() annotations to prevent compiler-induced data races.
Critical Impact
A NULL dereference in the IPv6 IOAM packet processing path can trigger a kernel panic, resulting in denial of service on affected Linux systems handling IOAM-tagged IPv6 traffic.
Affected Products
- Linux kernel versions containing the IPv6 IOAM trace data implementation prior to the fixing commits
- Distributions shipping vulnerable upstream kernels with IPv6 IOAM enabled
- Systems processing IPv6 packets with IOAM trace headers
Discovery Timeline
- 2026-05-06 - CVE-2026-43101 published to the National Vulnerability Database
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43101
Vulnerability Analysis
The vulnerability exists in the IPv6 IOAM (In-situ OAM) trace data path in the Linux kernel networking stack. The function __ioam6_fill_trace_data() calls __in6_dev_get() to retrieve the IPv6 device structure associated with a network device. The original code assumed this lookup would always succeed and proceeded to dereference the returned pointer without a NULL check.
When __in6_dev_get() returns NULL, for example on a device without IPv6 configuration state available at the moment of the call, the kernel dereferences a NULL pointer. This triggers an oops or panic depending on kernel configuration. The patch adds the missing NULL check before any access to the returned inet6_dev structure.
The fix additionally replaces skb_dst_dev() with skb_dst_dev_rcu() to ensure proper Read-Copy-Update (RCU) protection when accessing the destination device through the socket buffer. Two READ_ONCE() annotations are added to prevent the compiler from generating unsafe code on fields modified concurrently. The commit notes that @dev itself cannot be NULL, narrowing the failure case to the __in6_dev_get() result.
Root Cause
The root cause is a missing NULL check on the return value of __in6_dev_get() within __ioam6_fill_trace_data(). Combined with non-RCU device access and missing memory ordering primitives, the function exhibits unsafe pointer handling in a packet processing path that runs with limited error tolerance.
Attack Vector
An attacker capable of causing IPv6 IOAM-tagged packets to traverse a vulnerable host can drive the code path that triggers the NULL dereference. The exact preconditions depend on transient device state during the lookup. Successful triggering produces a kernel crash and denial of service. No code execution primitive has been disclosed for this issue.
No verified exploitation code is publicly available. The vulnerability mechanism is documented in the upstream commits referenced below. See the Kernel Git Commit - 4198aab6, Kernel Git Commit - 3719c234, and Kernel Git Commit - 4e65a8b8 for the patch details.
Detection Methods for CVE-2026-43101
Indicators of Compromise
- Kernel oops or panic messages referencing __ioam6_fill_trace_data in the call stack
- Unexpected reboots on hosts processing IPv6 traffic with IOAM extensions enabled
- dmesg entries showing NULL pointer dereference in the IPv6 networking subsystem
Detection Strategies
- Inventory running kernel versions across Linux fleets and compare against the fixed commit hashes 3719c234, 4198aab6, and 4e65a8b8
- Monitor kernel ring buffers for NULL pointer dereference traces involving the ioam6 symbol
- Audit which hosts have IPv6 IOAM enabled, since systems without IOAM exposure are not reachable through this code path
Monitoring Recommendations
- Forward dmesg and /var/log/kern.log events to a centralized logging platform and alert on kernel oops signatures
- Track host availability metrics for unexpected reboots correlated with IPv6 traffic spikes
- Use distribution vulnerability trackers to confirm backport status for the kernel build in production
How to Mitigate CVE-2026-43101
Immediate Actions Required
- Apply vendor-supplied kernel updates that incorporate the upstream patches as soon as they are released by your Linux distribution
- If patching is delayed, disable IPv6 IOAM functionality on hosts where it is not required
- Restrict ingress of IPv6 packets carrying IOAM extension headers at perimeter and host firewalls
Patch Information
The vulnerability is resolved upstream in three stable tree commits: Kernel Git Commit - 3719c234, Kernel Git Commit - 4198aab6, and Kernel Git Commit - 4e65a8b8. The patches add the NULL check on __in6_dev_get(), switch to skb_dst_dev_rcu(), and add READ_ONCE() annotations. Distribution maintainers backport these changes to supported kernel branches.
Workarounds
- Disable the IPv6 IOAM subsystem at boot or via kernel module configuration on hosts that do not require it
- Drop inbound IPv6 packets containing IOAM Hop-by-Hop options using ip6tables or nftables rules until patched kernels are deployed
- Where feasible, disable IPv6 entirely on systems that do not require it as a defense-in-depth measure
# Example nftables rule to drop IPv6 packets carrying IOAM Hop-by-Hop options
nft add table ip6 filter
nft add chain ip6 filter input { type filter hook input priority 0 \; }
nft add rule ip6 filter input exthdr hbh exists drop
# Verify running kernel against fixed commits
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
