CVE-2026-23293

CVSS v3.1

5.5

Medium

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A flaw exists in the Linux kernel’s VXLAN implementation. When the system boots with IPv6 disabled ('ipv6.disable=1'), the necessary network table (nd tbl) is not initialized, leading to a potential NULL pointer dereference within the neigh lookup() function when an IPv6 packet is received. This can result in a kernel panic, as indicated by a 'BUG: kernel NULL pointer dereference' message. The issue occurs during packet transmission via the vxlan xmit() function, triggered by calls to route shortcircuit() when processing IPv6 packets. The vulnerable function is neigh lookup().

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

NULL Pointer Dereference

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-476

Related Identifiers

CVE-2026-23293

ECHO-A740-3F6A-7695

OESA-2026-1862

OESA-2026-1863

OESA-2026-1864

OPENSUSE-SU-2026:20572-1

SUSE-SU-2026:1342-1

SUSE-SU-2026:1573-1

SUSE-SU-2026:1575-1

SUSE-SU-2026:1643-1

SUSE-SU-2026:1661-1

SUSE-SU-2026:2068-1

SUSE-SU-2026:21114-1

SUSE-SU-2026:21123-1

SUSE-SU-2026:21237-1

SUSE-SU-2026:21255-1

SUSE-SU-2026:21352-1

SUSE-SU-2026:21361-1

Affected Products

Linux Kernel

CVE-2026-23293

Weakness Enumeration

Related Identifiers

Affected Products

References · 275