CVE-2026-23124

Summary

In the Linux kernel, the following vulnerability has been resolved:

ipv6: annotate data-race in ndisc_router_discovery()

syzbot found that ndisc_router_discovery() could read and write in6_dev->ra_mtu without holding a lock [1]

This looks fine, IFLA_INET6_RA_MTU is best effort.

Add READ_ONCE()/WRITE_ONCE() to document the race.

Note that we might also reject illegal MTU values (mtu < IPV6_MIN_MTU || mtu > skb->dev->mtu) in a future patch.

[1] BUG: KCSAN: data-race in ndisc_router_discovery / ndisc_router_discovery

read to 0xffff888119809c20 of 4 bytes by task 25817 on cpu 1: ndisc_router_discovery+0x151d/0x1c90 net/ipv6/ndisc.c:1558 ndisc_rcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841 icmpv6_rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989 ip6_protocol_deliver_rcu+0xb2a/0x10d0 net/ipv6/ip6_input.c:438 ip6_input_finish+0xf0/0x1d0 net/ipv6/ip6_input.c:489 NF_HOOK include/linux/netfilter.h:318 [inline] ip6_input+0x5e/0x140 net/ipv6/ip6_input.c:500 ip6_mc_input+0x27c/0x470 net/ipv6/ip6_input.c:590 dst_input include/net/dst.h:474 [inline] ip6_rcv_finish+0x336/0x340 net/ipv6/ip6_input.c:79 …

write to 0xffff888119809c20 of 4 bytes by task 25816 on cpu 0: ndisc_router_discovery+0x155a/0x1c90 net/ipv6/ndisc.c:1559 ndisc_rcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841 icmpv6_rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989 ip6_protocol_deliver_rcu+0xb2a/0x10d0 net/ipv6/ip6_input.c:438 ip6_input_finish+0xf0/0x1d0 net/ipv6/ip6_input.c:489 NF_HOOK include/linux/netfilter.h:318 [inline] ip6_input+0x5e/0x140 net/ipv6/ip6_input.c:500 ip6_mc_input+0x27c/0x470 net/ipv6/ip6_input.c:590 dst_input include/net/dst.h:474 [inline] ip6_rcv_finish+0x336/0x340 net/ipv6/ip6_input.c:79 …

value changed: 0x00000000 -> 0xe5400659

Affected Software

VendorProductVersion RangeStatus
LinuxLinux49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7 < 4630897eb1a039b5d7b737b8dc9521d9d4b568b5affected
LinuxLinux49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7 < 2619499169fb1c2ac4974b0f2d87767fb543582baffected
LinuxLinux49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7 < fad8f4ff7928f4d52a062ffdcffa484989c79c47affected
LinuxLinux49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7 < 2a2b9d25f801afecf2f83cacce98afa8fd73e3c9affected
LinuxLinux49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7 < e3c1040252e598f7b4e33a42dc7c38519bc22428affected
LinuxLinux49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7 < 9a063f96d87efc3a6cc667f8de096a3d38d74bb5affected
LinuxLinux5.15affected
LinuxLinux0 < 5.15unaffected
LinuxLinux5.15.199 <= 5.15.*unaffected
LinuxLinux6.1.162 <= 6.1.*unaffected
LinuxLinux6.6.122 <= 6.6.*unaffected
LinuxLinux6.12.68 <= 6.12.*unaffected
LinuxLinux6.18.8 <= 6.18.*unaffected
LinuxLinux6.19 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References