SB20260325165 - NULL Pointer Dereference in Linux kernel net vxlan driver
Published: March 25, 2026
Security Bulletin ID
SB20260325165
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Local access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) NULL Pointer Dereference (CVE-ID: CVE-2026-23293)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in the VXLAN network driver when handling packets. A local user can send a specially crafted IPv6 packet into a VXLAN interface when IPv6 is disabled at boot time to trigger a kernel NULL pointer dereference and crash the system.
Exploitation requires the ability to inject packets into the VXLAN interface, which is typically available to local users or processes with network access.
Remediation
Install update from vendor's website.
References
- https://git.kernel.org/stable/c/168ff39e4758897d2eee4756977d036d52884c7e
- https://git.kernel.org/stable/c/5f93e6b4d12bd3a4517a6d447ea675f448f21434
- https://git.kernel.org/stable/c/abcd48ecdeb2e12eccb8339a35534c757782afcd
- https://git.kernel.org/stable/c/b5190fcd75a1f1785c766a8d1e44d3938e168f45
- https://git.kernel.org/stable/c/f0373e9317bc904e7bdb123d3106fe4f3cea2fb7
- https://git.kernel.org/stable/c/fbbd2118982c55fb9b0a753ae0cf7194e77149fb