HOMEVULNERABILITIESCVE-2026-43441
HIGH

CVE-2026-43441

Published: May 8, 2026· Updated: May 12, 2026

7.5
CVSS v3.1
EPSS:0.05%probability of exploitation in 30 daysPercentile:16.5th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled

When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never

initialized because inet6_init() exits before ndisc_init() is called

which initializes it. If bonding ARP/NS validation is enabled, an IPv6

NS/NA packet received on a slave can reach bond_validate_na(), which

calls bond_has_this_ip6(). That path calls ipv6_chk_addr() and can

crash in __ipv6_chk_addr_and_flags().

BUG: kernel NULL pointer dereference, address: 00000000000005d8

Oops: Oops: 0000 [#1] SMP NOPTI

RIP: 0010:__ipv6_chk_addr_and_flags+0x69/0x170

Call Trace:

<IRQ>

ipv6_chk_addr+0x1f/0x30

bond_validate_na+0x12e/0x1d0 [bonding]

? __pfx_bond_handle_frame+0x10/0x10 [bonding]

bond_rcv_validate+0x1a0/0x450 [bonding]

bond_handle_frame+0x5e/0x290 [bonding]

? srso_alias_return_thunk+0x5/0xfbef5

__netif_receive_skb_core.constprop.0+0x3e8/0xe50

? srso_alias_return_thunk+0x5/0xfbef5

? update_cfs_rq_load_avg+0x1a/0x240

? srso_alias_return_thunk+0x5/0xfbef5

? __enqueue_entity+0x5e/0x240

__netif_receive_skb_one_core+0x39/0xa0

process_backlog+0x9c/0x150

__napi_poll+0x30/0x200

? srso_alias_return_thunk+0x5/0xfbef5

net_rx_action+0x338/0x3b0

handle_softirqs+0xc9/0x2a0

do_softirq+0x42/0x60

</IRQ>

<TASK>

__local_bh_enable_ip+0x62/0x70

__dev_queue_xmit+0x2d3/0x1000

? srso_alias_return_thunk+0x5/0xfbef5

? srso_alias_return_thunk+0x5/0xfbef5

? packet_parse_headers+0x10a/0x1a0

packet_sendmsg+0x10da/0x1700

? kick_pool+0x5f/0x140

? srso_alias_return_thunk+0x5/0xfbef5

? __queue_work+0x12d/0x4f0

__sys_sendto+0x1f3/0x220

__x64_sys_sendto+0x24/0x30

do_syscall_64+0x101/0xf80

? exc_page_fault+0x6e/0x170

? srso_alias_return_thunk+0x5/0xfbef5

entry_SYSCALL_64_after_hwframe+0x77/0x7f

</TASK>

Fix this by checking ipv6_mod_enabled() before dispatching IPv6 packets to

bond_na_rcv(). If IPv6 is disabled, return early from bond_rcv_validate()

and avoid the path to ipv6_chk_addr().

NVD Source

Technical Analysis

CVE-2026-43441 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.

The vulnerability requires no privileges and no user interaction, making it a prime target for automated exploitation campaigns and worm-like propagation.

A successful exploit results in availability disruption (denial of service), with a CVSS base score of 7.5.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorNetwork
Attack ComplexityLow
Privileges Req.None
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityNone
IntegrityNone
AvailabilityHigh
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (6)

Quick Facts

CVE IDCVE-2026-43441
CVSS Score7.5 / 10
SeverityHIGH
CISA KEVNo
EPSS (30d)0.05%
PublishedMay 8, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-43441 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.