Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-43099— ipv4: icmp: fix null-ptr-deref in icmp_build_probe()

CVSS 7.5 · High EPSS 0.49% · P39

Possible ATT&CK Techniques 1AI

T1203 · Exploitation for Client Execution

Affected Version Matrix 16

VendorProductVersion RangeStatus
LinuxLinuxd329ea5bd8845f0b196bf41b18b6173340d6e0e4< 0f21bc261e60f0c696c58841c4873ff77ed83673affected
d329ea5bd8845f0b196bf41b18b6173340d6e0e4< dc5db4db19766a61ad65d81d1f55b1c1e51ba78daffected
d329ea5bd8845f0b196bf41b18b6173340d6e0e4< 47a8bf52156ac7e7a581eca31c1f964ba4258d4daffected
d329ea5bd8845f0b196bf41b18b6173340d6e0e4< 6be325206850a0891896d38bcf83a09d8b54ec48affected
d329ea5bd8845f0b196bf41b18b6173340d6e0e4< f91b3ed9e7fa82a70511b5f6901c88379acf2964affected
d329ea5bd8845f0b196bf41b18b6173340d6e0e4< 5b9911582d441f72fe6ccb15ffe3303bbc07f6f5affected
d329ea5bd8845f0b196bf41b18b6173340d6e0e4< fde29fd9349327acc50d19a0b5f3d5a6c964dfd8affected
5.13affected
… +8 more rows
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-43099

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
ipv4: icmp: fix null-ptr-deref in icmp_build_probe()
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: ipv4: icmp: fix null-ptr-deref in icmp_build_probe() ipv6_stub->ipv6_dev_find() may return ERR_PTR(-EAFNOSUPPORT) when the IPv6 stack is not active (CONFIG_IPV6=m and not loaded), and passing this error pointer to dev_hold() will cause a kernel crash with null-ptr-deref. Instead, silently discard the request. RFC 8335 does not appear to define a specific response for the case where an IPv6 interface identifier is syntactically valid but the implementation cannot perform the lookup at runtime, and silently dropping the request may safer than misreporting "No Such Interface".
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于icmp_build_probe中ipv6_stub->ipv6_dev_find可能返回ERR_PTR导致空指针解引用。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux d329ea5bd8845f0b196bf41b18b6173340d6e0e4 ~ 0f21bc261e60f0c696c58841c4873ff77ed83673 -
LinuxLinux 5.13 -

II. Public POCs for CVE-2026-43099

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-43099

登录查看更多情报信息。

Patches & Fixes for CVE-2026-43099 (7)

Same Patch Batch · Linux · 2026-05-06 · 224 CVEs total

CVE-2026-431859.8 CRITICALksmbd: fix signededness bug in smb_direct_prepare_negotiation()
CVE-2026-431869.8 CRITICALipv6: ioam: fix heap buffer overflow in __ioam6_fill_trace_data()
CVE-2026-432089.8 CRITICALnet: do not pass flow_id to set_rps_cpu()
CVE-2026-431989.8 CRITICALtcp: fix potential race in tcp_v6_syn_recv_sock()
CVE-2026-431259.8 CRITICALdlm: validate length in dlm_search_rsb_tree
CVE-2026-431149.4 CRITICALnetfilter: nft_set_pipapo_avx2: don't return non-matching entry on expiry
CVE-2026-431179.1 CRITICALbtrfs: tracepoints: get correct superblock from dentry in event btrfs_sync_file()
CVE-2026-430839.1 CRITICALnet: ioam6: fix OOB and missing lock
CVE-2026-431979.1 CRITICALnetconsole: avoid OOB reads, msg is not nul-terminated
CVE-2026-432328.8 HIGHnet: wan: farsync: Fix use-after-free bugs caused by unfinished tasklets
CVE-2026-431128.8 HIGHfs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath
CVE-2026-431138.8 HIGHwifi: wl1251: validate packet IDs before indexing tx_frames
CVE-2026-431108.8 HIGHwifi: brcmfmac: validate bsscfg indices in IF events
CVE-2026-431878.8 HIGHxfs: delete attr leaf freemap entries when empty
CVE-2026-432158.8 HIGHcifs: Fix locking usage for tcon fields
CVE-2026-431768.8 HIGHwifi: rtw89: pci: validate release report content before using for RTL8922DE
CVE-2026-432838.8 HIGHnet: ethernet: ec_bhf: Fix dma_free_coherent() dma handle
CVE-2026-432398.8 HIGHsmb: client: prevent races in ->query_interfaces()
CVE-2026-431728.8 HIGHwifi: iwlwifi: fix 22000 series SMEM parsing
CVE-2026-431588.8 HIGHxfs: fix freemap adjustments when adding xattrs to leaf blocks

Showing top 20 of 224 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

V. Comments for CVE-2026-43099

No comments yet


Leave a comment