VYPR
← All advisories
Medium severity5.5NVD Advisory· Published Mar 25, 2026· Updated Apr 23, 2026

CVE-2026-23316

CVE-2026-23316

Description

In the Linux kernel, the following vulnerability has been resolved:

net: ipv4: fix ARM64 alignment fault in multipath hash seed

struct sysctl_fib_multipath_hash_seed contains two u32 fields (user_seed and mp_seed), making it an 8-byte structure with a 4-byte alignment requirement.

In fib_multipath_hash_from_keys(), the code evaluates the entire struct atomically via READ_ONCE():

mp_seed = READ_ONCE(net->ipv4.sysctl_fib_multipath_hash_seed).mp_seed;

While this silently works on GCC by falling back to unaligned regular loads which the ARM64 kernel tolerates, it causes a fatal kernel panic when compiled with Clang and LTO enabled.

Commit e35123d83ee3 ("arm64: lto: Strengthen READ_ONCE() to acquire when CONFIG_LTO=y") strengthens READ_ONCE() to use Load-Acquire instructions (ldar / ldapr) to prevent compiler reordering bugs under Clang LTO. Since the macro evaluates the full 8-byte struct, Clang emits a 64-bit ldar instruction. ARM64 architecture strictly requires ldar to be naturally aligned, thus executing it on a 4-byte aligned address triggers a strict Alignment Fault (FSC = 0x21).

Fix the read side by moving the READ_ONCE() directly to the u32 member, which emits a safe 32-bit ldar Wn.

Furthermore, Eric Dumazet pointed out that WRITE_ONCE() on the entire struct in proc_fib_multipath_hash_set_seed() is also flawed. Analysis shows that Clang splits this 8-byte write into two separate 32-bit str instructions. While this avoids an alignment fault, it destroys atomicity and exposes a tear-write vulnerability. Fix this by explicitly splitting the write into two 32-bit WRITE_ONCE() operations.

Finally, add the missing READ_ONCE() when reading user_seed in proc_fib_multipath_hash_seed() to ensure proper pairing and concurrency safety.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel, an ARM64 alignment fault in multipath hash seed handling occurs when compiled with Clang and LTO, due to a 64-bit load-acquire on a 4-byte aligned struct, causing a kernel panic.

The vulnerability resides in the Linux kernel's IPv4 multipath routing code. The struct sysctl_fib_multipath_hash_seed contains two u32 fields (user_seed and mp_seed), making it an 8-byte structure with only a 4-byte alignment requirement. In fib_multipath_hash_from_keys(), the code uses READ_ONCE() on the entire struct to read mp_seed. When the kernel is compiled with Clang and Link-Time Optimization (LTO), READ_ONCE() is strengthened to a 64-bit Load-Acquire instruction (ldar), which ARM64 architecture mandates must be naturally aligned (8-byte). Executing ldar on a 4-byte aligned address triggers a strict alignment fault (FSC = 0x21), leading to a kernel panic.

Exploitation requires no special privileges beyond the ability to trigger IPv4 multipath routing decisions. Any process that causes the kernel to evaluate the multipath hash seed—for example, by sending network traffic over a multipath route—can trigger the fault. The bug is architecture-specific to ARM64 and only manifests under Clang LTO builds, but it can be reliably triggered by normal network operations.

The impact is a denial of service: an unprivileged attacker can cause a kernel panic, crashing the system. The CVSS v3 score of 5.5 (Medium) reflects the availability impact and the local nature of the trigger (network access is sufficient).

The fix, applied in multiple stable kernel commits [1][2][3][4], addresses both the read and write sides. On the read side, READ_ONCE() is moved to the individual u32 member, emitting a safe 32-bit ldar. On the write side in proc_fib_multipath_hash_set_seed(), the 8-byte write is split into two 32-bit WRITE_ONCE() operations to restore atomicity. Additionally, a missing READ_ONCE() is added when reading user_seed in proc_fib_multipath_hash_seed() for proper concurrency safety. Users should update to a kernel containing these fixes.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!
  4. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

10
  • Linux/Kernel10 versions
    cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 9 more
    • cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=6.11.1,<6.12.77
    • cpe:2.3:o:linux:linux_kernel:6.11:-:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
    • (no CPE)

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.