{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23300", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.993Z", "datePublished": "2026-03-25T10:26:56.138Z", "dateUpdated": "2026-04-18T08:57:47.517Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-18T08:57:47.517Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop\n\nWhen a standalone IPv6 nexthop object is created with a loopback device\n(e.g., \"ip -6 nexthop add id 100 dev lo\"), fib6_nh_init() misclassifies\nit as a reject route. This is because nexthop objects have no destination\nprefix (fc_dst=::), causing fib6_is_reject() to match any loopback\nnexthop. The reject path skips fib_nh_common_init(), leaving\nnhc_pcpu_rth_output unallocated. If an IPv4 route later references this\nnexthop, __mkroute_output() dereferences NULL nhc_pcpu_rth_output and\npanics.\n\nSimplify the check in fib6_nh_init() to only match explicit reject\nroutes (RTF_REJECT) instead of using fib6_is_reject(). The loopback\npromotion heuristic in fib6_is_reject() is handled separately by\nip6_route_info_create_nh(). After this change, the three cases behave\nas follows:\n\n1. Explicit reject route (\"ip -6 route add unreachable 2001:db8::/64\"):\n RTF_REJECT is set, enters reject path, skips fib_nh_common_init().\n No behavior change.\n\n2. Implicit loopback reject route (\"ip -6 route add 2001:db8::/32 dev lo\"):\n RTF_REJECT is not set, takes normal path, fib_nh_common_init() is\n called. ip6_route_info_create_nh() still promotes it to reject\n afterward. nhc_pcpu_rth_output is allocated but unused, which is\n harmless.\n\n3. Standalone nexthop object (\"ip -6 nexthop add id 100 dev lo\"):\n RTF_REJECT is not set, takes normal path, fib_nh_common_init() is\n called. nhc_pcpu_rth_output is properly allocated, fixing the crash\n when IPv4 routes reference this nexthop."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ipv6/route.c"], "versions": [{"version": "493ced1ac47c48bb86d9d4e8e87df8592be85a0e", "lessThan": "607e68c1b7c5a30c795571be1906d716e989a644", "status": "affected", "versionType": "git"}, {"version": "493ced1ac47c48bb86d9d4e8e87df8592be85a0e", "lessThan": "c11d7c56c2076ee9cd72004f1976fe0734df2ae9", "status": "affected", "versionType": "git"}, {"version": "493ced1ac47c48bb86d9d4e8e87df8592be85a0e", "lessThan": "b5062fc2150614c9ea8a611c2e0cb6e047ebfa3a", "status": "affected", "versionType": "git"}, {"version": "493ced1ac47c48bb86d9d4e8e87df8592be85a0e", "lessThan": "b299121e7453d23faddf464087dff513a495b4fc", "status": "affected", "versionType": "git"}, {"version": "493ced1ac47c48bb86d9d4e8e87df8592be85a0e", "lessThan": "f7c9f8e3607440fe39300efbaf46cf7b5eecb23f", "status": "affected", "versionType": "git"}, {"version": "493ced1ac47c48bb86d9d4e8e87df8592be85a0e", "lessThan": "b3b5a037d520afe3d5276e653bc0ff516bbda34c", "status": "affected", "versionType": "git"}, {"version": "493ced1ac47c48bb86d9d4e8e87df8592be85a0e", "lessThan": "8650db85b4259d2885d2a80fbc2317ce24194133", "status": "affected", "versionType": "git"}, {"version": "493ced1ac47c48bb86d9d4e8e87df8592be85a0e", "lessThan": "21ec92774d1536f71bdc90b0e3d052eff99cf093", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ipv6/route.c"], "versions": [{"version": "5.3", "status": "affected"}, {"version": "0", "lessThan": "5.3", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/607e68c1b7c5a30c795571be1906d716e989a644"}, {"url": "https://git.kernel.org/stable/c/c11d7c56c2076ee9cd72004f1976fe0734df2ae9"}, {"url": "https://git.kernel.org/stable/c/b5062fc2150614c9ea8a611c2e0cb6e047ebfa3a"}, {"url": "https://git.kernel.org/stable/c/b299121e7453d23faddf464087dff513a495b4fc"}, {"url": "https://git.kernel.org/stable/c/f7c9f8e3607440fe39300efbaf46cf7b5eecb23f"}, {"url": "https://git.kernel.org/stable/c/b3b5a037d520afe3d5276e653bc0ff516bbda34c"}, {"url": "https://git.kernel.org/stable/c/8650db85b4259d2885d2a80fbc2317ce24194133"}, {"url": "https://git.kernel.org/stable/c/21ec92774d1536f71bdc90b0e3d052eff99cf093"}], "title": "net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop\n\nWhen a standalone IPv6 nexthop object is created with a loopback device\n(e.g., \"ip -6 nexthop add id 100 dev lo\"), fib6_nh_init() misclassifies\nit as a reject route. This is because nexthop objects have no destination\nprefix (fc_dst=::), causing fib6_is_reject() to match any loopback\nnexthop. The reject path skips fib_nh_common_init(), leaving\nnhc_pcpu_rth_output unallocated. If an IPv4 route later references this\nnexthop, __mkroute_output() dereferences NULL nhc_pcpu_rth_output and\npanics.\n\nSimplify the check in fib6_nh_init() to only match explicit reject\nroutes (RTF_REJECT) instead of using fib6_is_reject(). The loopback\npromotion heuristic in fib6_is_reject() is handled separately by\nip6_route_info_create_nh(). After this change, the three cases behave\nas follows:\n\n1. Explicit reject route (\"ip -6 route add unreachable 2001:db8::/64\"):\n RTF_REJECT is set, enters reject path, skips fib_nh_common_init().\n No behavior change.\n\n2. Implicit loopback reject route (\"ip -6 route add 2001:db8::/32 dev lo\"):\n RTF_REJECT is not set, takes normal path, fib_nh_common_init() is\n called. ip6_route_info_create_nh() still promotes it to reject\n afterward. nhc_pcpu_rth_output is allocated but unused, which is\n harmless.\n\n3. Standalone nexthop object (\"ip -6 nexthop add id 100 dev lo\"):\n RTF_REJECT is not set, takes normal path, fib_nh_common_init() is\n called. nhc_pcpu_rth_output is properly allocated, fixing the crash\n when IPv4 routes reference this nexthop."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnet: ipv6: corrige el p\u00e1nico cuando una ruta IPv4 referencia un nexthop IPv6 de loopback\n\nCuando se crea un objeto nexthop IPv6 independiente con un dispositivo de loopback (p. ej., 'ip -6 nexthop add id 100 dev lo'), fib6_nh_init() lo clasifica err\u00f3neamente como una ruta de rechazo. Esto se debe a que los objetos nexthop no tienen prefijo de destino (fc_dst=::), lo que hace que fib6_is_reject() coincida con cualquier nexthop de loopback. La ruta de rechazo omite fib_nh_common_init(), dejando nhc_pcpu_rth_output sin asignar. Si una ruta IPv4 referencia posteriormente este nexthop, __mkroute_output() desreferencia nhc_pcpu_rth_output NULL y entra en p\u00e1nico.\n\nSimplificar la verificaci\u00f3n en fib6_nh_init() para que solo coincida con rutas de rechazo expl\u00edcitas (RTF_REJECT) en lugar de usar fib6_is_reject(). La heur\u00edstica de promoci\u00f3n de loopback en fib6_is_reject() se maneja por separado por ip6_route_info_create_nh(). Despu\u00e9s de este cambio, los tres casos se comportan de la siguiente manera:\n\n1. Ruta de rechazo expl\u00edcita ('ip -6 route add unreachable 2001:db8::/64'):\n RTF_REJECT est\u00e1 configurado, entra en la ruta de rechazo, omite fib_nh_common_init().\n Sin cambio de comportamiento.\n\n2. Ruta de rechazo de loopback impl\u00edcita ('ip -6 route add 2001:db8::/32 dev lo'):\n RTF_REJECT no est\u00e1 configurado, toma la ruta normal, se llama a fib_nh_common_init().\n ip6_route_info_create_nh() a\u00fan lo promueve a rechazo posteriormente. nhc_pcpu_rth_output se asigna pero no se usa, lo cual es inofensivo.\n\n3. Objeto nexthop independiente ('ip -6 nexthop add id 100 dev lo'):\n RTF_REJECT no est\u00e1 configurado, toma la ruta normal, se llama a fib_nh_common_init().\n nhc_pcpu_rth_output se asigna correctamente, corrigiendo el fallo cuando las rutas IPv4 referencian este nexthop."}], "id": "CVE-2026-23300", "lastModified": "2026-04-18T09:16:17.753", "metrics": {}, "published": "2026-03-25T11:16:25.623", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/21ec92774d1536f71bdc90b0e3d052eff99cf093"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/607e68c1b7c5a30c795571be1906d716e989a644"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8650db85b4259d2885d2a80fbc2317ce24194133"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b299121e7453d23faddf464087dff513a495b4fc"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b3b5a037d520afe3d5276e653bc0ff516bbda34c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b5062fc2150614c9ea8a611c2e0cb6e047ebfa3a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c11d7c56c2076ee9cd72004f1976fe0734df2ae9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f7c9f8e3607440fe39300efbaf46cf7b5eecb23f"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop", "id": "2451250", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451250"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-909", "details": ["A flaw was found in the Linux kernel's IPv6 networking stack. When a standalone IPv6 nexthop object is created with a loopback device, it is misclassified as a reject route, leading to an unallocated pointer. If an IPv4 route then attempts to reference this nexthop, it causes a NULL pointer dereference. This can result in a kernel panic, leading to a denial of service (DoS) for the system."], "name": "CVE-2026-23300", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23300\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23300\nhttps://lore.kernel.org/linux-cve-announce/2026032526-CVE-2026-23300-9bc4@gregkh/T"], "statement": "This flaw affects systems using advanced routing features with IPv6 nexthop objects on loopback devices. The misclassification causes nhc_pcpu_rth_output to remain unallocated, leading to a panic when IPv4 routes reference the nexthop. Triggering this requires specific routing configuration with nexthop objects on loopback, which is uncommon in typical deployments.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[493ced1ac47c48bb86d9d4e8e87df8592be85a0e,b5062fc2150614c9ea8a611c2e0cb6e047ebfa3a)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[493ced1ac47c48bb86d9d4e8e87df8592be85a0e,b299121e7453d23faddf464087dff513a495b4fc)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[493ced1ac47c48bb86d9d4e8e87df8592be85a0e,f7c9f8e3607440fe39300efbaf46cf7b5eecb23f)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[493ced1ac47c48bb86d9d4e8e87df8592be85a0e,b3b5a037d520afe3d5276e653bc0ff516bbda34c)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[493ced1ac47c48bb86d9d4e8e87df8592be85a0e,8650db85b4259d2885d2a80fbc2317ce24194133)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[493ced1ac47c48bb86d9d4e8e87df8592be85a0e,21ec92774d1536f71bdc90b0e3d052eff99cf093)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "5.3"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,5.3)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.167,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.77,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.17,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.7,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc3,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-03-26T14:05:15.814333+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to a version that includes the patch for this route handling bug"], "summary": {"action": "Apply Patch", "impact": "Kernel Crash / Denial of Service"}, "threat_synthesis": {"affected_systems": "This issue affects all Linux kernel builds that include the routing code, as indicated by the vendor entry for Linux:Linux and the generic CPE string for Linux kernels. No specific version range is listed in the CNA data, so any kernel version before the fix in commit 21ec9277 shall be considered vulnerable. The affected devices are those running a Linux kernel that has not been updated to incorporate the patch. The problem occurs only when a loopback device is used as a next\u2011hop for an IPv4 route via a standalone IPv6 nexthop object.", "description_and_impact": "The vulnerability resides in the Linux kernel\u2019s IPv6 routing code and triggers a panic when an IPv4 route references a loopback\u2011only IPv6 nexthop object. The panic occurs because the kernel misclassifies the standalone IPv6 nexthop as a reject route, skipping essential initialization and later dereferencing a NULL pointer. In practice, this leads to a full system crash, causing a loss of availability for affected hosts. The weakness is categorized as CWE\u2011909, an improper handling of an array index or pointer manipulation leading to a crash.", "risk_and_exploitability": "The CVSS score of 5.5 classifies the vulnerability as moderate, but the EPSS score indicates a very low probability of exploitation (<1%). The kernel crash is a denial\u2011of\u2011service attack, generally requiring the ability to create or modify routing entries. This capability is usually restricted to privileged users; remote exploitation is unlikely. The risk is therefore limited to insiders or attackers who have gained local or network\u2011configuration privileges. The absence of the vulnerability from the CISA KEV catalog further suggests that it has not been widely exploited in the wild."}}}}, "created": "2026-03-25T21:15:30.426232+00:00", "updated": "2026-03-27T09:50:06.316744+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}