{"id":"CVE-2023-53343","summary":"icmp6: Fix null-ptr-deref of ip6_null_entry-\u003ert6i_idev in icmp6_dev().","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nicmp6: Fix null-ptr-deref of ip6_null_entry-\u003ert6i_idev in icmp6_dev().\n\nWith some IPv6 Ext Hdr (RPL, SRv6, etc.), we can send a packet that\nhas the link-local address as src and dst IP and will be forwarded to\nan external IP in the IPv6 Ext Hdr.\n\nFor example, the script below generates a packet whose src IP is the\nlink-local address and dst is updated to 11::.\n\n  # for f in $(find /proc/sys/net/ -name *seg6_enabled*); do echo 1 \u003e $f; done\n  # python3\n  \u003e\u003e\u003e from socket import *\n  \u003e\u003e\u003e from scapy.all import *\n  \u003e\u003e\u003e\n  \u003e\u003e\u003e SRC_ADDR = DST_ADDR = \"fe80::5054:ff:fe12:3456\"\n  \u003e\u003e\u003e\n  \u003e\u003e\u003e pkt = IPv6(src=SRC_ADDR, dst=DST_ADDR)\n  \u003e\u003e\u003e pkt /= IPv6ExtHdrSegmentRouting(type=4, addresses=[\"11::\", \"22::\"], segleft=1)\n  \u003e\u003e\u003e\n  \u003e\u003e\u003e sk = socket(AF_INET6, SOCK_RAW, IPPROTO_RAW)\n  \u003e\u003e\u003e sk.sendto(bytes(pkt), (DST_ADDR, 0))\n\nFor such a packet, we call ip6_route_input() to look up a route for the\nnext destination in these three functions depending on the header type.\n\n  * ipv6_rthdr_rcv()\n  * ipv6_rpl_srh_rcv()\n  * ipv6_srh_rcv()\n\nIf no route is found, ip6_null_entry is set to skb, and the following\ndst_input(skb) calls ip6_pkt_drop().\n\nFinally, in icmp6_dev(), we dereference skb_rt6_info(skb)-\u003ert6i_idev-\u003edev\nas the input device is the loopback interface.  Then, we have to check if\nskb_rt6_info(skb)-\u003ert6i_idev is NULL or not to avoid NULL pointer deref\nfor ip6_null_entry.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n PF: supervisor read access in kernel mode\n PF: error_code(0x0000) - not-present page\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 0 PID: 157 Comm: python3 Not tainted 6.4.0-11996-gb121d614371c #35\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nRIP: 0010:icmp6_send (net/ipv6/icmp.c:436 net/ipv6/icmp.c:503)\nCode: fe ff ff 48 c7 40 30 c0 86 5d 83 e8 c6 44 1c 00 e9 c8 fc ff ff 49 8b 46 58 48 83 e0 fe 0f 84 4a fb ff ff 48 8b 80 d0 00 00 00 \u003c48\u003e 8b 00 44 8b 88 e0 00 00 00 e9 34 fb ff ff 4d 85 ed 0f 85 69 01\nRSP: 0018:ffffc90000003c70 EFLAGS: 00000286\nRAX: 0000000000000000 RBX: 0000000000000001 RCX: 00000000000000e0\nRDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff888006d72a18\nRBP: ffffc90000003d80 R08: 0000000000000000 R09: 0000000000000001\nR10: ffffc90000003d98 R11: 0000000000000040 R12: ffff888006d72a10\nR13: 0000000000000000 R14: ffff8880057fb800 R15: ffffffff835d86c0\nFS:  00007f9dc72ee740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000000 CR3: 00000000057b2000 CR4: 00000000007506f0\nPKRU: 55555554\nCall Trace:\n \u003cIRQ\u003e\n ip6_pkt_drop (net/ipv6/route.c:4513)\n ipv6_rthdr_rcv (net/ipv6/exthdrs.c:640 net/ipv6/exthdrs.c:686)\n ip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:437 (discriminator 5))\n ip6_input_finish (./include/linux/rcupdate.h:781 net/ipv6/ip6_input.c:483)\n __netif_receive_skb_one_core (net/core/dev.c:5455)\n process_backlog (./include/linux/rcupdate.h:781 net/core/dev.c:5895)\n __napi_poll (net/core/dev.c:6460)\n net_rx_action (net/core/dev.c:6529 net/core/dev.c:6660)\n __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:554)\n do_softirq (kernel/softirq.c:454 kernel/softirq.c:441)\n \u003c/IRQ\u003e\n \u003cTASK\u003e\n __local_bh_enable_ip (kernel/softirq.c:381)\n __dev_queue_xmit (net/core/dev.c:4231)\n ip6_finish_output2 (./include/net/neighbour.h:544 net/ipv6/ip6_output.c:135)\n rawv6_sendmsg (./include/net/dst.h:458 ./include/linux/netfilter.h:303 net/ipv6/raw.c:656 net/ipv6/raw.c:914)\n sock_sendmsg (net/socket.c:725 net/socket.c:748)\n __sys_sendto (net/socket.c:2134)\n __x64_sys_sendto (net/socket.c:2146 net/socket.c:2142 net/socket.c:2142)\n do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)\nRIP: 0033:0x7f9dc751baea\nCode: d8 64 89 02 48 c7 c0 ff f\n---truncated---","modified":"2026-03-20T12:33:06.241330Z","published":"2025-09-17T14:56:36.285Z","related":["SUSE-SU-2025:03600-1","SUSE-SU-2025:03634-1","SUSE-SU-2025:20851-1","SUSE-SU-2025:20861-1","SUSE-SU-2025:20870-1","SUSE-SU-2025:20898-1","SUSE-SU-2025:3751-1","SUSE-SU-2025:4057-1","SUSE-SU-2025:4132-1","SUSE-SU-2025:4141-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53343.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/1462e9d9aa52d14665eaca6d89d22c4af44ede04"},{"type":"WEB","url":"https://git.kernel.org/stable/c/2aaa8a15de73874847d62eb595c6683bface80fd"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3fabca5d9cae0140b6aad09a1c6b9aa57089fbb8"},{"type":"WEB","url":"https://git.kernel.org/stable/c/61b4c4659746959056450b92a5d7e6bc1243b31b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8803c59fde4dd370a627dfbf7183682fa0cabf70"},{"type":"WEB","url":"https://git.kernel.org/stable/c/aa657d319e6c7502a4eb85cc0ee80cc81b8e5724"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d30ddd7ff15df9d91a793ce3f06f0190ff7afacc"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53343.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-53343"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"4832c30d5458387ff2533ff66fbde26ad8bb5a2d"},{"fixed":"8803c59fde4dd370a627dfbf7183682fa0cabf70"},{"fixed":"61b4c4659746959056450b92a5d7e6bc1243b31b"},{"fixed":"d30ddd7ff15df9d91a793ce3f06f0190ff7afacc"},{"fixed":"3fabca5d9cae0140b6aad09a1c6b9aa57089fbb8"},{"fixed":"1462e9d9aa52d14665eaca6d89d22c4af44ede04"},{"fixed":"aa657d319e6c7502a4eb85cc0ee80cc81b8e5724"},{"fixed":"2aaa8a15de73874847d62eb595c6683bface80fd"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53343.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}