Null Pointer Dereference in Linux Kernel Affecting Networking Functionality
CVE-2026-43441

7.5HIGH

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 8 May 2026

What is CVE-2026-43441?

A vulnerability in the Linux kernel's bonding driver can lead to a null pointer dereference when running with IPv6 disabled. This occurs if the system is booted with the 'ipv6.disable=1' parameter. The initialization routine for IPv6 fails to set up necessary structures, resulting in potential crashes during packet validation. Specifically, when bonding ARP/NS validation is enabled, a received IPv6 Neighbor Solicitation or Advertisement can cause the system to crash, as critical checks are made on uninitialized memory. The vulnerability can be mitigated by ensuring checks for IPv6 module status prior to processing related packets.

Affected Version(s)

Linux 4e24be018eb9dbcefa4b01c07e298b147dc1a4d7 < 49dbfcb70eca5f6f9043594e1e323c74c39e3863

Linux 4e24be018eb9dbcefa4b01c07e298b147dc1a4d7

References

https://git.kernel.org/stable/c/49dbfcb70eca5f6f9043594e1...

https://git.kernel.org/stable/c/cf6099ef493b94e140b0fad52...

https://git.kernel.org/stable/c/c78f01abe535853f13f0b26cd...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 8, 2026
Vulnerability Reserved
May 1, 2026

CVE-2026-43441 Data

JSON