PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43441 Linux CVE debrief

CVE-2026-43441 is a Linux kernel availability issue in bonding. According to the NVD record and the kernel fix description, systems booted with ipv6.disable=1 can leave nd_tbl uninitialized, and bonding ARP/NS validation may then route an IPv6 NS/NA packet into ipv6_chk_addr(), causing a kernel NULL pointer dereference and crash. The published fix adds an ipv6_mod_enabled() check before dispatching IPv6 packets to bond_na_rcv(), preventing the invalid path.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-05-21
Advisory published
2026-05-08
Advisory updated
2026-05-21

Who should care

Linux kernel maintainers, distro security teams, and operators using bonding with ARP/NS validation enabled, especially on systems that boot with ipv6.disable=1. Network and platform teams should also care because the impact is a remote availability failure.

Technical summary

The issue is a NULL dereference in the IPv6 address-check path reached from bonding receive validation. The reported call path is bond_validate_na() -> bond_has_this_ip6() -> ipv6_chk_addr() -> __ipv6_chk_addr_and_flags(). The root cause described in the corpus is that inet6_init() exits before ndisc_init() when IPv6 is disabled, so nd_tbl never gets initialized. The kernel patch avoids the crash by checking ipv6_mod_enabled() before bonding hands IPv6 packets to bond_na_rcv(), which prevents bond_rcv_validate() from reaching ipv6_chk_addr() when IPv6 is disabled. NVD assigns CWE-476 and CVSS 3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

Defensive priority

High for any environment that uses Linux bonding and may disable IPv6 at boot. The issue is network-reachable and impacts availability, so patched kernels should be prioritized on exposed or latency-sensitive systems.

Recommended defensive actions

  • Upgrade to a kernel release that includes the bonded IPv6-disabled fix or the relevant stable backport.
  • If immediate patching is not possible, review whether bonding ARP/NS validation is enabled on hosts that boot with ipv6.disable=1.
  • Verify affected kernel branches against the NVD version ranges and vendor backport status before planning maintenance windows.
  • Prioritize patching internet-facing or operationally critical systems where a kernel crash would cause service disruption.
  • Track distro advisories for the kernel stable backports referenced in the official patch links.

Evidence notes

All claims are taken from the supplied NVD record and official kernel patch references. The NVD record states the vulnerability is analyzed, with CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H and CWE-476. The description explains that ipv6.disable=1 prevents nd_tbl initialization, and that bonding ARP/NS validation can reach ipv6_chk_addr() and crash in __ipv6_chk_addr_and_flags(). The fix described is an ipv6_mod_enabled() check before dispatching IPv6 packets to bond_na_rcv(). NVD also lists vulnerable Linux kernel CPE ranges and the official kernel stable patch references are included below.

Official resources

CVE published on 2026-05-08T15:16:56.523Z and last modified on 2026-05-21T17:16:14.133Z. This debrief uses the published CVE/NVD record and official kernel patch references only.