Linux Kernel Bonding Driver NULL Pointer Dereference Vulnerability When IPv6 is Disabled

A vulnerability in the Linux kernel bonding driver can lead to a NULL pointer dereference when IPv6 is disabled. This issue occurs because the neighbor discovery table is not initialized, causing a crash when certain validation features are enabled. The vulnerability affects the Linux kernel bonding driver in versions prior to the latest patch.

Impact

Exploitation of this vulnerability causes a kernel panic due to a NULL pointer dereference, which can lead to a denial of service by crashing the system.

Reproduction

To reproduce this vulnerability, boot the system with the 'ipv6.disable=1' parameter. This prevents the neighbor discovery table from being initialized. Then, enable bonding ARP/NS validation and send an IPv6 Neighbor Solicitation or Neighbor Advertisement packet to a slave interface. The packet will be processed by the bonding driver, leading to a crash as the driver attempts to validate the IPv6 address.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version where this issue has been fixed.