CVE-2026-23300
Description
In the Linux kernel, the following vulnerability has been resolved:
net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop
When a standalone IPv6 nexthop object is created with a loopback device (e.g., "ip -6 nexthop add id 100 dev lo"), fib6_nh_init() misclassifies it as a reject route. This is because nexthop objects have no destination prefix (fc_dst=::), causing fib6_is_reject() to match any loopback nexthop. The reject path skips fib_nh_common_init(), leaving nhc_pcpu_rth_output unallocated. If an IPv4 route later references this nexthop, __mkroute_output() dereferences NULL nhc_pcpu_rth_output and panics.
Simplify the check in fib6_nh_init() to only match explicit reject routes (RTF_REJECT) instead of using fib6_is_reject(). The loopback promotion heuristic in fib6_is_reject() is handled separately by ip6_route_info_create_nh(). After this change, the three cases behave as follows:
1. Explicit reject route ("ip -6 route add unreachable 2001:db8::/64"): RTF_REJECT is set, enters reject path, skips fib_nh_common_init(). No behavior change.
2. Implicit loopback reject route ("ip -6 route add 2001:db8::/32 dev lo"): RTF_REJECT is not set, takes normal path, fib_nh_common_init() is called. ip6_route_info_create_nh() still promotes it to reject afterward. nhc_pcpu_rth_output is allocated but unused, which is harmless.
3. Standalone nexthop object ("ip -6 nexthop add id 100 dev lo"): RTF_REJECT is not set, takes normal path, fib_nh_common_init() is called. nhc_pcpu_rth_output is properly allocated, fixing the crash when IPv4 routes reference this nexthop.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A Linux kernel panic occurs when an IPv4 route references an IPv6 nexthop object configured on the loopback device.
Root
Cause
In the Linux kernel, when an IPv6 nexthop object (e.g., ip -6 nexthop add id 100 dev lo) is created on a loopback device, fib6_nh_init() misclassifies it as a reject route because the nexthop has no destination prefix (fc_dst=::), causing fib6_is_reject() to match [1]. For reject routes, fib_nh_common_init() is not called, leaving nhc_pcpu_rth_output unallocated.
Exploitation
An attacker with sufficient privileges to create a standalone IPv6 nexthop on the loopback interface and later add an IPv4 route referencing that nexthop can trigger the bug. No authentication is required beyond local root access, but the attack requires control over the system's routing configuration.
Impact
When an IPv4 route subsequently references the misclassified nexthop, __mkroute_output() dereferences the NULL nhc_pcpu_rth_output, causing a kernel panic and system crash [1]. This constitutes a denial-of-service vulnerability.
Mitigation
The fix simplifies the check in fib6_nh_init() to only match explicit reject routes via the RTF_REJECT flag, ensuring standalone nexthops on loopback are properly initialized [1]. Three stable patch commits address the issue [2][3][4]. Administrators should apply the latest kernel updates from their distribution.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/21ec92774d1536f71bdc90b0e3d052eff99cf093nvd
- git.kernel.org/stable/c/607e68c1b7c5a30c795571be1906d716e989a644nvd
- git.kernel.org/stable/c/8650db85b4259d2885d2a80fbc2317ce24194133nvd
- git.kernel.org/stable/c/b299121e7453d23faddf464087dff513a495b4fcnvd
- git.kernel.org/stable/c/b3b5a037d520afe3d5276e653bc0ff516bbda34cnvd
- git.kernel.org/stable/c/b5062fc2150614c9ea8a611c2e0cb6e047ebfa3anvd
- git.kernel.org/stable/c/c11d7c56c2076ee9cd72004f1976fe0734df2ae9nvd
- git.kernel.org/stable/c/f7c9f8e3607440fe39300efbaf46cf7b5eecb23fnvd
News mentions
0No linked articles in our index yet.