{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23300", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.993Z", "datePublished": "2026-03-25T10:26:56.138Z", "dateUpdated": "2026-03-25T10:26:56.138Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:26:56.138Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop\n\nWhen a standalone IPv6 nexthop object is created with a loopback device\n(e.g., \"ip -6 nexthop add id 100 dev lo\"), fib6_nh_init() misclassifies\nit as a reject route. This is because nexthop objects have no destination\nprefix (fc_dst=::), causing fib6_is_reject() to match any loopback\nnexthop. The reject path skips fib_nh_common_init(), leaving\nnhc_pcpu_rth_output unallocated. If an IPv4 route later references this\nnexthop, __mkroute_output() dereferences NULL nhc_pcpu_rth_output and\npanics.\n\nSimplify the check in fib6_nh_init() to only match explicit reject\nroutes (RTF_REJECT) instead of using fib6_is_reject(). The loopback\npromotion heuristic in fib6_is_reject() is handled separately by\nip6_route_info_create_nh(). After this change, the three cases behave\nas follows:\n\n1. Explicit reject route (\"ip -6 route add unreachable 2001:db8::/64\"):\n RTF_REJECT is set, enters reject path, skips fib_nh_common_init().\n No behavior change.\n\n2. Implicit loopback reject route (\"ip -6 route add 2001:db8::/32 dev lo\"):\n RTF_REJECT is not set, takes normal path, fib_nh_common_init() is\n called. ip6_route_info_create_nh() still promotes it to reject\n afterward. nhc_pcpu_rth_output is allocated but unused, which is\n harmless.\n\n3. Standalone nexthop object (\"ip -6 nexthop add id 100 dev lo\"):\n RTF_REJECT is not set, takes normal path, fib_nh_common_init() is\n called. nhc_pcpu_rth_output is properly allocated, fixing the crash\n when IPv4 routes reference this nexthop."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ipv6/route.c"], "versions": [{"version": "493ced1ac47c48bb86d9d4e8e87df8592be85a0e", "lessThan": "b5062fc2150614c9ea8a611c2e0cb6e047ebfa3a", "status": "affected", "versionType": "git"}, {"version": "493ced1ac47c48bb86d9d4e8e87df8592be85a0e", "lessThan": "b299121e7453d23faddf464087dff513a495b4fc", "status": "affected", "versionType": "git"}, {"version": "493ced1ac47c48bb86d9d4e8e87df8592be85a0e", "lessThan": "f7c9f8e3607440fe39300efbaf46cf7b5eecb23f", "status": "affected", "versionType": "git"}, {"version": "493ced1ac47c48bb86d9d4e8e87df8592be85a0e", "lessThan": "b3b5a037d520afe3d5276e653bc0ff516bbda34c", "status": "affected", "versionType": "git"}, {"version": "493ced1ac47c48bb86d9d4e8e87df8592be85a0e", "lessThan": "8650db85b4259d2885d2a80fbc2317ce24194133", "status": "affected", "versionType": "git"}, {"version": "493ced1ac47c48bb86d9d4e8e87df8592be85a0e", "lessThan": "21ec92774d1536f71bdc90b0e3d052eff99cf093", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ipv6/route.c"], "versions": [{"version": "5.3", "status": "affected"}, {"version": "0", "lessThan": "5.3", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3", "versionEndExcluding": "7.0-rc3"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/b5062fc2150614c9ea8a611c2e0cb6e047ebfa3a"}, {"url": "https://git.kernel.org/stable/c/b299121e7453d23faddf464087dff513a495b4fc"}, {"url": "https://git.kernel.org/stable/c/f7c9f8e3607440fe39300efbaf46cf7b5eecb23f"}, {"url": "https://git.kernel.org/stable/c/b3b5a037d520afe3d5276e653bc0ff516bbda34c"}, {"url": "https://git.kernel.org/stable/c/8650db85b4259d2885d2a80fbc2317ce24194133"}, {"url": "https://git.kernel.org/stable/c/21ec92774d1536f71bdc90b0e3d052eff99cf093"}], "title": "net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop\n\nWhen a standalone IPv6 nexthop object is created with a loopback device\n(e.g., \"ip -6 nexthop add id 100 dev lo\"), fib6_nh_init() misclassifies\nit as a reject route. This is because nexthop objects have no destination\nprefix (fc_dst=::), causing fib6_is_reject() to match any loopback\nnexthop. The reject path skips fib_nh_common_init(), leaving\nnhc_pcpu_rth_output unallocated. If an IPv4 route later references this\nnexthop, __mkroute_output() dereferences NULL nhc_pcpu_rth_output and\npanics.\n\nSimplify the check in fib6_nh_init() to only match explicit reject\nroutes (RTF_REJECT) instead of using fib6_is_reject(). The loopback\npromotion heuristic in fib6_is_reject() is handled separately by\nip6_route_info_create_nh(). After this change, the three cases behave\nas follows:\n\n1. Explicit reject route (\"ip -6 route add unreachable 2001:db8::/64\"):\n RTF_REJECT is set, enters reject path, skips fib_nh_common_init().\n No behavior change.\n\n2. Implicit loopback reject route (\"ip -6 route add 2001:db8::/32 dev lo\"):\n RTF_REJECT is not set, takes normal path, fib_nh_common_init() is\n called. ip6_route_info_create_nh() still promotes it to reject\n afterward. nhc_pcpu_rth_output is allocated but unused, which is\n harmless.\n\n3. Standalone nexthop object (\"ip -6 nexthop add id 100 dev lo\"):\n RTF_REJECT is not set, takes normal path, fib_nh_common_init() is\n called. nhc_pcpu_rth_output is properly allocated, fixing the crash\n when IPv4 routes reference this nexthop."}], "id": "CVE-2026-23300", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:25.623", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/21ec92774d1536f71bdc90b0e3d052eff99cf093"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8650db85b4259d2885d2a80fbc2317ce24194133"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b299121e7453d23faddf464087dff513a495b4fc"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b3b5a037d520afe3d5276e653bc0ff516bbda34c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b5062fc2150614c9ea8a611c2e0cb6e047ebfa3a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f7c9f8e3607440fe39300efbaf46cf7b5eecb23f"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop", "id": "2451250", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451250"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-909", "details": ["A flaw was found in the Linux kernel's IPv6 networking stack. When a standalone IPv6 nexthop object is created with a loopback device, it is misclassified as a reject route, leading to an unallocated pointer. If an IPv4 route then attempts to reference this nexthop, it causes a NULL pointer dereference. This can result in a kernel panic, leading to a denial of service (DoS) for the system."], "name": "CVE-2026-23300", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23300\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23300\nhttps://lore.kernel.org/linux-cve-announce/2026032526-CVE-2026-23300-9bc4@gregkh/T"], "statement": "This flaw affects systems using advanced routing features with IPv6 nexthop objects on loopback devices. The misclassification causes nhc_pcpu_rth_output to remain unallocated, leading to a panic when IPv4 routes reference the nexthop. Triggering this requires specific routing configuration with nexthop objects on loopback, which is uncommon in typical deployments.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[493ced1ac47c48bb86d9d4e8e87df8592be85a0e,b5062fc2150614c9ea8a611c2e0cb6e047ebfa3a)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[493ced1ac47c48bb86d9d4e8e87df8592be85a0e,b299121e7453d23faddf464087dff513a495b4fc)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[493ced1ac47c48bb86d9d4e8e87df8592be85a0e,f7c9f8e3607440fe39300efbaf46cf7b5eecb23f)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[493ced1ac47c48bb86d9d4e8e87df8592be85a0e,b3b5a037d520afe3d5276e653bc0ff516bbda34c)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[493ced1ac47c48bb86d9d4e8e87df8592be85a0e,8650db85b4259d2885d2a80fbc2317ce24194133)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[493ced1ac47c48bb86d9d4e8e87df8592be85a0e,21ec92774d1536f71bdc90b0e3d052eff99cf093)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "5.3"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,5.3)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.167,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.77,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.17,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.7,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc3,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-03-26T03:51:30.486618+00:00", "value": {"mitigation_remediation": ["Apply a mainstream kernel update that includes the routing fix or backport the specific upstream patch to the current kernel.", "Verify the running kernel version after the update to confirm the patch is present.", "Restart routing services or the entire system to ensure the new kernel is active.", "Monitor system logs (dmesg, /var/log/kern.log) for any unexpected panics to detect if the issue persists."], "summary": {"action": "Immediate patch", "impact": "Kernel panic due to NULL pointer dereference caused by misclassified IPv6 nexthop objects"}, "threat_synthesis": {"affected_systems": "All Linux kernels that predate the commit fixing the routing logic are affected. The vendor list indicates Linux:Linux, meaning any distribution using the upstream kernel before the change. No exact version ranges are supplied, so any kernel without the patch is potentially susceptible.", "description_and_impact": "An IPv6 nexthop created with a loopback interface (e.g., using \"ip -6 nexthop add id 100 dev lo\") is incorrectly detected as a reject route, causing the initialization routine to omit allocation of key data. When an IPv4 route later references this nexthop, the code dereferences a null pointer, causing the kernel to panic. This manifests as a system crash that can be detected by a sudden reboot or loss of networking services. The flaw is a classic NULL pointer dereference (CWE\u2011476) and a type confusion bug (CWE\u2011909). The CVSS score of 5.5 indicates moderate severity because the vulnerability is non\u2011remote and requires privileged route manipulation to trigger.", "risk_and_exploitability": "The CVSS score of 5.5 reflects a moderate risk, while the EPSS value of less than 1\u00a0% shows a low likelihood of exploitation in the wild. The bug is not in CISA\u2019s Known Exploited Vulnerabilities catalog. Likely attack conditions require elevated (root) privileges to add or modify routing entries, suggesting a local privileged attacker or a compromised system could exploit it. Because the panic occurs only when an IPv4 route references the malformed nexthop, the attack window is narrow and generally requires manual configuration steps."}}}}, "created": "2026-03-25T21:15:30.426232+00:00", "updated": "2026-03-26T12:16:56.371677+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}