HIGH Published 2026-05-06

net/ipv4 ICMP Probe Deref

CVE-2026-43099

CVSS 7.5 / 10.0 NVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

KernelScan AI7.5HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: ipv4: icmp: fix null-ptr-deref in icmp_build_probe() ipv6_stub->ipv6_dev_find() may return ERR_PTR(-EAFNOSUPPORT) when the IPv6 stack is not active (CONFIG_IPV6=m and not loaded), and passing this error pointer to dev_hold() will cause a kernel crash with null-ptr-deref. Instead, silently discard the request. RFC 8335 does not appear to define a specific response for the case where an IPv6 interface identifier is syntactically valid but the implementation cannot perform the lookup at runtime, and silently dropping the request may safer than misreporting "No Such Interface".

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

Remote unauthenticated attackers can crash the kernel by sending RFC 8335 ICMP PROBE messages with IPv6 interface identifiers to a reachable target system when IPv6 is compiled as a module but not loaded. This causes a NULL pointer dereference in the ICMP probe response handler, resulting in a kernel panic and system denial of service.

Affectednet/ipv4/icmp.c (IPv4 ICMP)

Vulnerability analysis

The vulnerability occurs in icmp_build_probe() when processing RFC 8335 PROBE messages with IPv6 interface identifiers. When CONFIG_IPV6=m and the IPv6 module is not loaded, ipv6_stub->ipv6_dev_find() returns ERR_PTR(-EAFNOSUPPORT) instead of NULL or a valid device pointer. The code then passes this error pointer directly to dev_hold(), which attempts to dereference it as a valid struct device, causing a NULL pointer dereference and kernel crash. The fix adds an IS_ERR() check to detect error pointers and silently discard the request instead of proceeding with the invalid pointer. The attack is triggered by receiving a crafted ICMP PROBE packet over the network, requiring no local access or privileges.

03Fix Versions

Branch	Fixed in	Patch commit
5.15	5.15.209	`0f21bc261e60`
6.1	6.1.175	`dc5db4db1976`
6.12	6.12.83	`6be325206850`
6.18	6.18.24	`f91b3ed9e7fa`
6.19	6.19.14	`5b9911582d44`
6.6	6.6.136	`47a8bf52156a`
mainline	7.0	`fde29fd93493`