NULL Pointer Dereference Affecting kernel-docs-html package, versions <6.12.0-160000.33.1
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about NULL Pointer Dereference vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-SLES1600-KERNELDOCSHTML-17124909
- published2 Jun 2026
- disclosed28 May 2026
Introduced: 28 May 2026
NewCVE-2026-23300 (opens in a new tab)How to fix?
Upgrade SLES:16.0.0 kernel-docs-html to version 6.12.0-160000.33.1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream kernel-docs-html package and not the kernel-docs-html package as distributed by SLES.
See How to fix? for SLES:16.0.0 relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop
When a standalone IPv6 nexthop object is created with a loopback device (e.g., "ip -6 nexthop add id 100 dev lo"), fib6_nh_init() misclassifies it as a reject route. This is because nexthop objects have no destination prefix (fc_dst=::), causing fib6_is_reject() to match any loopback nexthop. The reject path skips fib_nh_common_init(), leaving nhc_pcpu_rth_output unallocated. If an IPv4 route later references this nexthop, __mkroute_output() dereferences NULL nhc_pcpu_rth_output and panics.
Simplify the check in fib6_nh_init() to only match explicit reject routes (RTF_REJECT) instead of using fib6_is_reject(). The loopback promotion heuristic in fib6_is_reject() is handled separately by ip6_route_info_create_nh(). After this change, the three cases behave as follows:
Explicit reject route ("ip -6 route add unreachable 2001:db8::/64"): RTF_REJECT is set, enters reject path, skips fib_nh_common_init(). No behavior change.
Implicit loopback reject route ("ip -6 route add 2001:db8::/32 dev lo"): RTF_REJECT is not set, takes normal path, fib_nh_common_init() is called. ip6_route_info_create_nh() still promotes it to reject afterward. nhc_pcpu_rth_output is allocated but unused, which is harmless.
Standalone nexthop object ("ip -6 nexthop add id 100 dev lo"): RTF_REJECT is not set, takes normal path, fib_nh_common_init() is called. nhc_pcpu_rth_output is properly allocated, fixing the crash when IPv4 routes reference this nexthop.
References
- https://www.suse.com/security/cve/CVE-2026-23300.html
- https://bugzilla.suse.com/1260538
- https://git.kernel.org/stable/c/21ec92774d1536f71bdc90b0e3d052eff99cf093
- https://git.kernel.org/stable/c/607e68c1b7c5a30c795571be1906d716e989a644
- https://git.kernel.org/stable/c/8650db85b4259d2885d2a80fbc2317ce24194133
- https://git.kernel.org/stable/c/b299121e7453d23faddf464087dff513a495b4fc
- https://git.kernel.org/stable/c/b3b5a037d520afe3d5276e653bc0ff516bbda34c
- https://git.kernel.org/stable/c/b5062fc2150614c9ea8a611c2e0cb6e047ebfa3a
- https://git.kernel.org/stable/c/c11d7c56c2076ee9cd72004f1976fe0734df2ae9
- https://git.kernel.org/stable/c/f7c9f8e3607440fe39300efbaf46cf7b5eecb23f