-
CVE-2026-23300
- EPSS 0.04%
- Veröffentlicht 25.03.2026 10:26:56
- Zuletzt bearbeitet 18.04.2026 09:16:17
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop
In the Linux kernel, the following vulnerability has been resolved:
net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop
When a standalone IPv6 nexthop object is created with a loopback device
(e.g., "ip -6 nexthop add id 100 dev lo"), fib6_nh_init() misclassifies
it as a reject route. This is because nexthop objects have no destination
prefix (fc_dst=::), causing fib6_is_reject() to match any loopback
nexthop. The reject path skips fib_nh_common_init(), leaving
nhc_pcpu_rth_output unallocated. If an IPv4 route later references this
nexthop, __mkroute_output() dereferences NULL nhc_pcpu_rth_output and
panics.
Simplify the check in fib6_nh_init() to only match explicit reject
routes (RTF_REJECT) instead of using fib6_is_reject(). The loopback
promotion heuristic in fib6_is_reject() is handled separately by
ip6_route_info_create_nh(). After this change, the three cases behave
as follows:
1. Explicit reject route ("ip -6 route add unreachable 2001:db8::/64"):
RTF_REJECT is set, enters reject path, skips fib_nh_common_init().
No behavior change.
2. Implicit loopback reject route ("ip -6 route add 2001:db8::/32 dev lo"):
RTF_REJECT is not set, takes normal path, fib_nh_common_init() is
called. ip6_route_info_create_nh() still promotes it to reject
afterward. nhc_pcpu_rth_output is allocated but unused, which is
harmless.
3. Standalone nexthop object ("ip -6 nexthop add id 100 dev lo"):
RTF_REJECT is not set, takes normal path, fib_nh_common_init() is
called. nhc_pcpu_rth_output is properly allocated, fixing the crash
when IPv4 routes reference this nexthop.Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
≫
Produkt
Linux
Default Statusunaffected
Version
493ced1ac47c48bb86d9d4e8e87df8592be85a0e
Version <
607e68c1b7c5a30c795571be1906d716e989a644
Status
affected
Version
493ced1ac47c48bb86d9d4e8e87df8592be85a0e
Version <
c11d7c56c2076ee9cd72004f1976fe0734df2ae9
Status
affected
Version
493ced1ac47c48bb86d9d4e8e87df8592be85a0e
Version <
b5062fc2150614c9ea8a611c2e0cb6e047ebfa3a
Status
affected
Version
493ced1ac47c48bb86d9d4e8e87df8592be85a0e
Version <
b299121e7453d23faddf464087dff513a495b4fc
Status
affected
Version
493ced1ac47c48bb86d9d4e8e87df8592be85a0e
Version <
f7c9f8e3607440fe39300efbaf46cf7b5eecb23f
Status
affected
Version
493ced1ac47c48bb86d9d4e8e87df8592be85a0e
Version <
b3b5a037d520afe3d5276e653bc0ff516bbda34c
Status
affected
Version
493ced1ac47c48bb86d9d4e8e87df8592be85a0e
Version <
8650db85b4259d2885d2a80fbc2317ce24194133
Status
affected
Version
493ced1ac47c48bb86d9d4e8e87df8592be85a0e
Version <
21ec92774d1536f71bdc90b0e3d052eff99cf093
Status
affected
HerstellerLinux
≫
Produkt
Linux
Default Statusaffected
Version
5.3
Status
affected
Version
0
Version <
5.3
Status
unaffected
Version <=
5.10.*
Version
5.10.253
Status
unaffected
Version <=
5.15.*
Version
5.15.203
Status
unaffected
Version <=
6.1.*
Version
6.1.167
Status
unaffected
Version <=
6.6.*
Version
6.6.130
Status
unaffected
Version <=
6.12.*
Version
6.12.77
Status
unaffected
Version <=
6.18.*
Version
6.18.17
Status
unaffected
Version <=
6.19.*
Version
6.19.7
Status
unaffected
Version <=
*
Version
7.0
Status
unaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.04% | 0.102 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|