CVE-2026-53214

Summary

In the Linux kernel, the following vulnerability has been resolved:

ipv6: Fix a potential NPD in cleanup_prefix_route()

addrconf_get_prefix_route() can return the fib6_null_entry sentinel entry which has a NULL fib6_table pointer. Therefore, before setting the route's expiration time, check that we are not working with this entry, as otherwise a NPD will be triggered [1].

Note that the other callers of addrconf_get_prefix_route() are not susceptible to this bug:

  1. addrconf_prefix_rcv(): Requests a route with the 'RTF_ADDRCONF | RTF_PREFIX_RT' flags which are not set on fib6_null_entry.

  2. modify_prefix_route(): Fixed by commit a747e02430df ("ipv6: avoid possible NULL deref in modify_prefix_route()").

  3. __ipv6_ifa_notify(): Calls ip6_del_rt() which specifically checks for fib6_null_entry and returns an error.

[1] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] […] Call Trace: <TASK> __kasan_check_byte (mm/kasan/common.c:573) lock_acquire.part.0 (kernel/locking/lockdep.c:5842 (discriminator 1)) _raw_spin_lock_bh (kernel/locking/spinlock.c:182 (discriminator 1)) cleanup_prefix_route (net/ipv6/addrconf.c:1280) ipv6_del_addr (net/ipv6/addrconf.c:1342) inet6_addr_del.isra.0 (net/ipv6/addrconf.c:3119) inet6_rtm_deladdr (net/ipv6/addrconf.c:4812) rtnetlink_rcv_msg (net/core/rtnetlink.c:6997) netlink_rcv_skb (net/netlink/af_netlink.c:2555) netlink_unicast (net/netlink/af_netlink.c:1344) netlink_sendmsg (net/netlink/af_netlink.c:1899) __sock_sendmsg (net/socket.c:802 (discriminator 4)) ____sys_sendmsg (net/socket.c:2698) ___sys_sendmsg (net/socket.c:2752) __sys_sendmsg (net/socket.c:2784) do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxbd12abe294c7738421bdfbc486f1909d02db30e9 < 5f82b02b4059ddc06e4fcfd057bfb59fd6885cd2affected
LinuxLinux5eb902b8e7193cdcb33242af0a56502e6b5206e9 < 192df376a05c2db15564640f9da7e20907c1fa24affected
LinuxLinux5eb902b8e7193cdcb33242af0a56502e6b5206e9 < 07d9a0870a178843cea44cfd58c27445dc94cf5faffected
LinuxLinux5eb902b8e7193cdcb33242af0a56502e6b5206e9 < 653a2849305708f75260b5296f17b2a759ff9cc7affected
LinuxLinux5eb902b8e7193cdcb33242af0a56502e6b5206e9 < b70c687b7cf267fb08586667a3946c8851cad672affected
LinuxLinux6.6.120 < 6.6.143affected
LinuxLinux6.9affected
LinuxLinux0 < 6.9unaffected
LinuxLinux6.6.143 <= 6.6.*unaffected
LinuxLinux6.12.94 <= 6.12.*unaffected
LinuxLinux6.18.36 <= 6.18.*unaffected
LinuxLinux7.0.13 <= 7.0.*unaffected
LinuxLinux7.1 <= *unaffected

Weaknesses

References