Linux Kernel VXLAN Component NULL Pointer Dereference Vulnerability When IPv6 is Disabled

A vulnerability in the Linux kernel's VXLAN implementation can lead to a NULL pointer dereference in the neighbor lookup function. This issue occurs when the system is booted with the 'ipv6.disable=1' parameter, which prevents the neighbor discovery table from being initialized. If an IPv6 packet is then injected into the interface, the VXLAN transmission process attempts to access the uninitialized table, resulting in a kernel crash. The vulnerability affects the Linux kernel's stable releases.

Impact

Exploitation of this vulnerability causes a kernel panic due to a NULL pointer dereference, disrupting system operations and potentially leading to a denial of service.

Reproduction

To reproduce this vulnerability, boot the system with the 'ipv6.disable=1' parameter. Once the system is running, inject an IPv6 packet into a VXLAN interface. The packet will trigger the route shortcircuit function, which will attempt to look up a neighbor entry. Since the neighbor discovery table is not initialized, this will result in a NULL pointer dereference, causing a kernel panic.

Remediation

Users can remove the 'ipv6.disable=1' parameter to allow proper initialization of the neighbor discovery table. After removing the parameter, ensure that the system is rebooted to apply the changes.