-

CVE-2026-53012

nexthop: fix IPv6 route referencing IPv4 nexthop

In the Linux kernel, the following vulnerability has been resolved:

nexthop: fix IPv6 route referencing IPv4 nexthop

syzbot reported a panic [1] [2].

When an IPv6 nexthop is replaced with an IPv4 nexthop, the has_v4 flag
of all groups containing this nexthop is not updated. This is because
nh_group_v4_update is only called when replacing AF_INET to AF_INET6,
but the reverse direction (AF_INET6 to AF_INET) is missed.

This allows a stale has_v4=false to bypass fib6_check_nexthop, causing
IPv6 routes to be attached to groups that effectively contain only AF_INET
members. Subsequent route lookups then call nexthop_fib6_nh() which
returns NULL for the AF_INET member, leading to a NULL pointer
dereference.

Fix by calling nh_group_v4_update whenever the family changes, not just
AF_INET to AF_INET6.

Reproducer:
	# AF_INET6 blackhole
	ip -6 nexthop add id 1 blackhole
	# group with has_v4=false
	ip nexthop add id 100 group 1
	# replace with AF_INET (no -6), has_v4 stays false
	ip nexthop replace id 1 blackhole
	# pass stale has_v4 check
	ip -6 route add 2001:db8::/64 nhid 100
	# panic
	ping -6 2001:db8::1

[1] https://syzkaller.appspot.com/bug?id=e17283eb2f8dcf3dd9b47fe6f67a95f71faadad0
[2] https://syzkaller.appspot.com/bug?id=8699b6ae54c9f35837d925686208402949e12ef3
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
Produkt Linux
Default Statusunaffected
Version 7bf4796dd09984ad1612877a82d0d139c70ae27f
Version < ceffe81a0be92afc0cd1340bc8ca46559cce9bb4
Status affected
Version 7bf4796dd09984ad1612877a82d0d139c70ae27f
Version < 9c2d6770a5f4545a307eb66979bef7656a34d621
Status affected
Version 7bf4796dd09984ad1612877a82d0d139c70ae27f
Version < 6275796f22bb382f3e9aa58ed0b4ef7bdad78cb8
Status affected
Version 7bf4796dd09984ad1612877a82d0d139c70ae27f
Version < aaac3bed034239e1d75732211d9b05f30b0b4f35
Status affected
Version 7bf4796dd09984ad1612877a82d0d139c70ae27f
Version < ad85961004fd4bd2f31209ac4b07612c6cefb9e7
Status affected
Version 7bf4796dd09984ad1612877a82d0d139c70ae27f
Version < 613c8f4a501421dd258b07ea614205d4e16ec845
Status affected
Version 7bf4796dd09984ad1612877a82d0d139c70ae27f
Version < b3b7e850e1541f0520c4a12ec884255c30427ff6
Status affected
Version 7bf4796dd09984ad1612877a82d0d139c70ae27f
Version < 29c95185ba32b621fbc3800fb86e7dc3edf5c2be
Status affected
HerstellerLinux
Produkt Linux
Default Statusaffected
Version 5.3
Status affected
Version 0
Version < 5.3
Status unaffected
Version <= 5.10.*
Version 5.10.258
Status unaffected
Version <= 5.15.*
Version 5.15.209
Status unaffected
Version <= 6.1.*
Version 6.1.175
Status unaffected
Version <= 6.6.*
Version 6.6.141
Status unaffected
Version <= 6.12.*
Version 6.12.91
Status unaffected
Version <= 6.18.*
Version 6.18.33
Status unaffected
Version <= 7.0.*
Version 7.0.10
Status unaffected
Version <= *
Version 7.1
Status unaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.19% 0.083
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
Es wurden noch keine Informationen zu CWE veröffentlicht.
https://git.kernel.org/stable/c/ceffe81a0be92afc0cd1340bc8ca46559cce9bb4
https://git.kernel.org/stable/c/9c2d6770a5f4545a307eb66979bef7656a34d621
https://git.kernel.org/stable/c/6275796f22bb382f3e9aa58ed0b4ef7bdad78cb8
https://git.kernel.org/stable/c/aaac3bed034239e1d75732211d9b05f30b0b4f35
https://git.kernel.org/stable/c/ad85961004fd4bd2f31209ac4b07612c6cefb9e7
https://git.kernel.org/stable/c/613c8f4a501421dd258b07ea614205d4e16ec845
https://git.kernel.org/stable/c/b3b7e850e1541f0520c4a12ec884255c30427ff6
https://git.kernel.org/stable/c/29c95185ba32b621fbc3800fb86e7dc3edf5c2be