PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23381 Linux CVE debrief

A NULL pointer dereference vulnerability was found in the Linux kernel when IPv6 is disabled. The issue occurs when the 'ipv6.disable=1' parameter is used during boot, preventing the initialization of nd_tbl. When neigh_suppress is enabled and an ICMPv6 Neighbor Discovery packet reaches the bridge, the br_do_suppress_nd() function will dereference ipv6_stub->nd_tbl, which is NULL, causing a kernel NULL pointer dereference. This issue can impact Linux kernel deployments where IPv6 is disabled and neigh_suppress is enabled.

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-25
Original CVE updated
2026-07-14
Advisory published
2026-03-25
Advisory updated
2026-07-14

Who should care

Users of the Linux kernel who may be affected by this vulnerability should take action to mitigate the issue. This includes administrators of Linux-based systems, developers using the Linux kernel, and users of systems that rely on the Linux kernel. They should review official advisories, apply patches, and monitor for potential impacts.

Technical summary

The vulnerability is caused by a NULL pointer dereference in the br_do_suppress_nd() function when IPv6 is disabled. The nd_tbl is not initialized when IPv6 is disabled, and the function attempts to access it, resulting in a kernel NULL pointer dereference. The issue can be resolved by replacing the IS_ENABLED(IPV6) call with ipv6_mod_enabled() in the callers, effectively disabling NS/NA suppression when IPv6 is disabled. This change prevents the NULL pointer dereference.

Defensive priority

Medium

Recommended defensive actions

  • Apply patches provided by the Linux kernel maintainers
  • Disable neigh_suppress if not required
  • Monitor for ICMPv6 Neighbor Discovery packets
  • Verify IPv6 is not disabled when required
  • Review compensating controls for exposed systems
  • Check relevant monitoring, detection, and logs for exposed assets
  • Track exceptions and retest remediated assets

Evidence notes

The CVE record was published on 2026-03-25T11:16:38.160Z and was last modified on 2026-07-14T13:18:31.910Z. The NVD entry is currently Modified. This vulnerability affects Linux kernel deployments where IPv6 is disabled. Defenders should verify if affected systems exist in their environment and review official advisories for scope and severity. Evidence is limited to public CVE and NVD information.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-03-25T11:16:38.160Z and has not been modified since then. The NVD entry is currently Modified.