PatchSiren cyber security CVE debrief
CVE-2026-23381 Linux CVE debrief
A NULL pointer dereference vulnerability was found in the Linux kernel when IPv6 is disabled. The issue occurs when the 'ipv6.disable=1' parameter is used during boot, preventing the initialization of nd_tbl. When neigh_suppress is enabled and an ICMPv6 Neighbor Discovery packet reaches the bridge, the br_do_suppress_nd() function will dereference ipv6_stub->nd_tbl, which is NULL, causing a kernel NULL pointer dereference. This issue can impact Linux kernel deployments where IPv6 is disabled and neigh_suppress is enabled.
- Vendor
- Linux
- Product
- Unknown
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-25
- Original CVE updated
- 2026-07-14
- Advisory published
- 2026-03-25
- Advisory updated
- 2026-07-14
Who should care
Users of the Linux kernel who may be affected by this vulnerability should take action to mitigate the issue. This includes administrators of Linux-based systems, developers using the Linux kernel, and users of systems that rely on the Linux kernel. They should review official advisories, apply patches, and monitor for potential impacts.
Technical summary
The vulnerability is caused by a NULL pointer dereference in the br_do_suppress_nd() function when IPv6 is disabled. The nd_tbl is not initialized when IPv6 is disabled, and the function attempts to access it, resulting in a kernel NULL pointer dereference. The issue can be resolved by replacing the IS_ENABLED(IPV6) call with ipv6_mod_enabled() in the callers, effectively disabling NS/NA suppression when IPv6 is disabled. This change prevents the NULL pointer dereference.
Defensive priority
Medium
Recommended defensive actions
- Apply patches provided by the Linux kernel maintainers
- Disable neigh_suppress if not required
- Monitor for ICMPv6 Neighbor Discovery packets
- Verify IPv6 is not disabled when required
- Review compensating controls for exposed systems
- Check relevant monitoring, detection, and logs for exposed assets
- Track exceptions and retest remediated assets
Evidence notes
The CVE record was published on 2026-03-25T11:16:38.160Z and was last modified on 2026-07-14T13:18:31.910Z. The NVD entry is currently Modified. This vulnerability affects Linux kernel deployments where IPv6 is disabled. Defenders should verify if affected systems exist in their environment and review official advisories for scope and severity. Evidence is limited to public CVE and NVD information.
Official resources
-
CVE-2026-23381 CVE record
CVE.org
-
CVE-2026-23381 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-03-25T11:16:38.160Z and has not been modified since then. The NVD entry is currently Modified.