CVE-2026-53214
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: Fix a potential NPD in cleanup_prefix_route()
addrconf_get_prefix_route() can return the fib6_null_entry sentinel entry which has a NULL fib6_table pointer. Therefore, before setting the route's expiration time, check that we are not working with this entry, as otherwise a NPD will be triggered [1].
Note that the other callers of addrconf_get_prefix_route() are not susceptible to this bug:
addrconf_prefix_rcv(): Requests a route with the 'RTF_ADDRCONF | RTF_PREFIX_RT' flags which are not set on fib6_null_entry.
modify_prefix_route(): Fixed by commit a747e02430df ("ipv6: avoid possible NULL deref in modify_prefix_route()").
__ipv6_ifa_notify(): Calls ip6_del_rt() which specifically checks for fib6_null_entry and returns an error.
[1] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] […] Call Trace: <TASK> __kasan_check_byte (mm/kasan/common.c:573) lock_acquire.part.0 (kernel/locking/lockdep.c:5842 (discriminator 1)) _raw_spin_lock_bh (kernel/locking/spinlock.c:182 (discriminator 1)) cleanup_prefix_route (net/ipv6/addrconf.c:1280) ipv6_del_addr (net/ipv6/addrconf.c:1342) inet6_addr_del.isra.0 (net/ipv6/addrconf.c:3119) inet6_rtm_deladdr (net/ipv6/addrconf.c:4812) rtnetlink_rcv_msg (net/core/rtnetlink.c:6997) netlink_rcv_skb (net/netlink/af_netlink.c:2555) netlink_unicast (net/netlink/af_netlink.c:1344) netlink_sendmsg (net/netlink/af_netlink.c:1899) __sock_sendmsg (net/socket.c:802 (discriminator 4)) ____sys_sendmsg (net/socket.c:2698) ___sys_sendmsg (net/socket.c:2752) __sys_sendmsg (net/socket.c:2784) do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | bd12abe294c7738421bdfbc486f1909d02db30e9 < 5f82b02b4059ddc06e4fcfd057bfb59fd6885cd2 | affected |
| Linux | Linux | 5eb902b8e7193cdcb33242af0a56502e6b5206e9 < 192df376a05c2db15564640f9da7e20907c1fa24 | affected |
| Linux | Linux | 5eb902b8e7193cdcb33242af0a56502e6b5206e9 < 07d9a0870a178843cea44cfd58c27445dc94cf5f | affected |
| Linux | Linux | 5eb902b8e7193cdcb33242af0a56502e6b5206e9 < 653a2849305708f75260b5296f17b2a759ff9cc7 | affected |
| Linux | Linux | 5eb902b8e7193cdcb33242af0a56502e6b5206e9 < b70c687b7cf267fb08586667a3946c8851cad672 | affected |
| Linux | Linux | 6.6.120 < 6.6.143 | affected |
| Linux | Linux | 6.9 | affected |
| Linux | Linux | 0 < 6.9 | unaffected |
| Linux | Linux | 6.6.143 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.94 <= 6.12.* | unaffected |
| Linux | Linux | 6.18.36 <= 6.18.* | unaffected |
| Linux | Linux | 7.0.13 <= 7.0.* | unaffected |
| Linux | Linux | 7.1 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/5f82b02b4059ddc06e4fcfd057bfb59fd6885cd2
- https://git.kernel.org/stable/c/192df376a05c2db15564640f9da7e20907c1fa24
- https://git.kernel.org/stable/c/07d9a0870a178843cea44cfd58c27445dc94cf5f
- https://git.kernel.org/stable/c/653a2849305708f75260b5296f17b2a759ff9cc7
- https://git.kernel.org/stable/c/b70c687b7cf267fb08586667a3946c8851cad672
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.