{
  "threat_severity" : "Moderate",
  "public_date" : "2026-03-25T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled",
    "id" : "2451220",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2451220"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-824",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnet: bridge: fix nd_tbl NULL dereference when IPv6 is disabled\nWhen booting with the 'ipv6.disable=1' parameter, the nd_tbl is never\ninitialized because inet6_init() exits before ndisc_init() is called\nwhich initializes it. Then, if neigh_suppress is enabled and an ICMPv6\nNeighbor Discovery packet reaches the bridge, br_do_suppress_nd() will\ndereference ipv6_stub->nd_tbl which is NULL, passing it to\nneigh_lookup(). This causes a kernel NULL pointer dereference.\nBUG: kernel NULL pointer dereference, address: 0000000000000268\nOops: 0000 [#1] PREEMPT SMP NOPTI\n[...]\nRIP: 0010:neigh_lookup+0x16/0xe0\n[...]\nCall Trace:\n<IRQ>\n? neigh_lookup+0x16/0xe0\nbr_do_suppress_nd+0x160/0x290 [bridge]\nbr_handle_frame_finish+0x500/0x620 [bridge]\nbr_handle_frame+0x353/0x440 [bridge]\n__netif_receive_skb_core.constprop.0+0x298/0x1110\n__netif_receive_skb_one_core+0x3d/0xa0\nprocess_backlog+0xa0/0x140\n__napi_poll+0x2c/0x170\nnet_rx_action+0x2c4/0x3a0\nhandle_softirqs+0xd0/0x270\ndo_softirq+0x3f/0x60\nFix this by replacing IS_ENABLED(IPV6) call with ipv6_mod_enabled() in\nthe callers. This is in essence disabling NS/NA suppression when IPv6 is\ndisabled.", "A flaw was found in the Linux kernel's network bridging component. When Internet Protocol version 6 (IPv6) is explicitly disabled, a critical data structure for Neighbor Discovery is not properly initialized. A remote attacker could exploit this by sending a specially crafted Internet Control Message Protocol version 6 (ICMPv6) Neighbor Discovery packet. This could lead to a kernel NULL pointer dereference, causing the system to crash and resulting in a Denial of Service (DoS)." ],
  "statement" : "This flaw affects bridge configurations with neigh_suppress enabled while IPv6 is disabled via ipv6.disable=1. When ICMPv6 ND packets reach the bridge, br_do_suppress_nd() dereferences the uninitialized nd_tbl, causing a NULL pointer crash. Similar to CVE-2026-23293 but affects bridge instead of VXLAN.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-23381\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23381\nhttps://lore.kernel.org/linux-cve-announce/2026032543-CVE-2026-23381-378d@gregkh/T" ],
  "name" : "CVE-2026-23381",
  "mitigation" : {
    "value" : "Do not use the ipv6.disable=1 boot parameter on systems using network bridging with neighbor suppression, or disable neigh_suppress on bridges when IPv6 is disabled.",
    "lang" : "en:us"
  },
  "csaw" : false
}