CVE-2026-43441

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled<br /> <br /> When booting with the &amp;#39;ipv6.disable=1&amp;#39; parameter, the nd_tbl is never<br /> initialized because inet6_init() exits before ndisc_init() is called<br /> which initializes it. If bonding ARP/NS validation is enabled, an IPv6<br /> NS/NA packet received on a slave can reach bond_validate_na(), which<br /> calls bond_has_this_ip6(). That path calls ipv6_chk_addr() and can<br /> crash in __ipv6_chk_addr_and_flags().<br /> <br /> BUG: kernel NULL pointer dereference, address: 00000000000005d8<br /> Oops: Oops: 0000 [#1] SMP NOPTI<br /> RIP: 0010:__ipv6_chk_addr_and_flags+0x69/0x170<br /> Call Trace:<br /> <br /> ipv6_chk_addr+0x1f/0x30<br /> bond_validate_na+0x12e/0x1d0 [bonding]<br /> ? __pfx_bond_handle_frame+0x10/0x10 [bonding]<br /> bond_rcv_validate+0x1a0/0x450 [bonding]<br /> bond_handle_frame+0x5e/0x290 [bonding]<br /> ? srso_alias_return_thunk+0x5/0xfbef5<br /> __netif_receive_skb_core.constprop.0+0x3e8/0xe50<br /> ? srso_alias_return_thunk+0x5/0xfbef5<br /> ? update_cfs_rq_load_avg+0x1a/0x240<br /> ? srso_alias_return_thunk+0x5/0xfbef5<br /> ? __enqueue_entity+0x5e/0x240<br /> __netif_receive_skb_one_core+0x39/0xa0<br /> process_backlog+0x9c/0x150<br /> __napi_poll+0x30/0x200<br /> ? srso_alias_return_thunk+0x5/0xfbef5<br /> net_rx_action+0x338/0x3b0<br /> handle_softirqs+0xc9/0x2a0<br /> do_softirq+0x42/0x60<br /> <br /> <br /> __local_bh_enable_ip+0x62/0x70<br /> __dev_queue_xmit+0x2d3/0x1000<br /> ? srso_alias_return_thunk+0x5/0xfbef5<br /> ? srso_alias_return_thunk+0x5/0xfbef5<br /> ? packet_parse_headers+0x10a/0x1a0<br /> packet_sendmsg+0x10da/0x1700<br /> ? kick_pool+0x5f/0x140<br /> ? srso_alias_return_thunk+0x5/0xfbef5<br /> ? __queue_work+0x12d/0x4f0<br /> __sys_sendto+0x1f3/0x220<br /> __x64_sys_sendto+0x24/0x30<br /> do_syscall_64+0x101/0xf80<br /> ? exc_page_fault+0x6e/0x170<br /> ? srso_alias_return_thunk+0x5/0xfbef5<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> <br /> Fix this by checking ipv6_mod_enabled() before dispatching IPv6 packets to<br /> bond_na_rcv(). If IPv6 is disabled, return early from bond_rcv_validate()<br /> and avoid the path to ipv6_chk_addr().