CVE-2026-23124 - Vulnerability Details

- ipv6: annotate data-race in ndisc_router_discovery()

Description

In the Linux kernel, the following vulnerability has been resolved:

ipv6: annotate data-race in ndisc_router_discovery()

syzbot found that ndisc_router_discovery() could read and write
in6_dev->ra_mtu without holding a lock [1]

This looks fine, IFLA_INET6_RA_MTU is best effort.

Add READ_ONCE()/WRITE_ONCE() to document the race.

Note that we might also reject illegal MTU values
(mtu < IPV6_MIN_MTU || mtu > skb->dev->mtu) in a future patch.

[1]
BUG: KCSAN: data-race in ndisc_router_discovery / ndisc_router_discovery

read to 0xffff888119809c20 of 4 bytes by task 25817 on cpu 1:
ndisc_router_discovery+0x151d/0x1c90 net/ipv6/ndisc.c:1558
ndisc_rcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841
icmpv6_rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989
ip6_protocol_deliver_rcu+0xb2a/0x10d0 net/ipv6/ip6_input.c:438
ip6_input_finish+0xf0/0x1d0 net/ipv6/ip6_input.c:489
NF_HOOK include/linux/netfilter.h:318 [inline]
ip6_input+0x5e/0x140 net/ipv6/ip6_input.c:500
ip6_mc_input+0x27c/0x470 net/ipv6/ip6_input.c:590
dst_input include/net/dst.h:474 [inline]
ip6_rcv_finish+0x336/0x340 net/ipv6/ip6_input.c:79
...

write to 0xffff888119809c20 of 4 bytes by task 25816 on cpu 0:
ndisc_router_discovery+0x155a/0x1c90 net/ipv6/ndisc.c:1559
ndisc_rcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841
icmpv6_rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989
ip6_protocol_deliver_rcu+0xb2a/0x10d0 net/ipv6/ip6_input.c:438
ip6_input_finish+0xf0/0x1d0 net/ipv6/ip6_input.c:489
NF_HOOK include/linux/netfilter.h:318 [inline]
ip6_input+0x5e/0x140 net/ipv6/ip6_input.c:500
ip6_mc_input+0x27c/0x470 net/ipv6/ip6_input.c:590
dst_input include/net/dst.h:474 [inline]
ip6_rcv_finish+0x336/0x340 net/ipv6/ip6_input.c:79
...

value changed: 0x00000000 -> 0xe5400659

Published: 2026-02-14

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises from a race condition in the Linux kernel's IPv6 router discovery function, which reads and writes the in6_dev->ra_mtu field without proper synchronization. The race can result in inconsistent or corrupted values for the router advertisement MTU, leading to unpredictable kernel behavior and potential memory corruption. According to the KCSAN diagnostic output, concurrent read and write operations on this field were observed, indicating that an attacker could trigger the race by sending crafted IPv6 router advertisement packets.

Affected Systems

The affected code exists in the Linux kernel, specifically documented in version 6.19 release candidates (rc1 through rc6). The CPE entries also list the generic "linux_kernel" product, implying that any kernel build containing this code path is potentially affected until the patch is applied. Users running Linux kernel 6.19 or earlier, or any derivative that has not yet incorporated the fix, should consider their systems vulnerable.

Risk and Exploitability

The CVSS score of 5.5 indicates a moderate severity. The EPSS probability is below 1 %, reflecting a low but non-zero likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet been exploited at large scale. The attack vector appears to be local or network-based: an adversary can craft IPv6 router advertisement packets that manipulate the MTU value, potentially triggering the race. Because the fix currently only annotates the race without addressing the underlying synchronization error, the risk remains until an official kernel update is released.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7`	affected	< 4630897eb1a039b5d7b737b8dc9521d9d4b568b5
`49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7`	affected	< 2619499169fb1c2ac4974b0f2d87767fb543582b
`49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7`	affected	< fad8f4ff7928f4d52a062ffdcffa484989c79c47
`49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7`	affected	< 2a2b9d25f801afecf2f83cacce98afa8fd73e3c9
`49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7`	affected	< e3c1040252e598f7b4e33a42dc7c38519bc22428
`49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7`	affected	< 9a063f96d87efc3a6cc667f8de096a3d38d74bb5

Linux

affected

Version	Status	Constraints
`5.15`	affected	—
`0`	unaffected	< 5.15
`5.15.199`	unaffected	≤ 5.15.*
`6.1.162`	unaffected	≤ 6.1.*
`6.6.122`	unaffected	≤ 6.6.*
`6.12.68`	unaffected	≤ 6.12.*
`6.18.8`	unaffected	≤ 6.18.*
`6.19`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc3::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc4::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc5::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc6::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

—

Version	Status	Scheme	Platform
`[49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7,4630897eb1a039b5d7b737b8dc9521d9d4b568b5)`	affected	code_commit	—
`[49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7,2619499169fb1c2ac4974b0f2d87767fb543582b)`	affected	code_commit	—
`[49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7,fad8f4ff7928f4d52a062ffdcffa484989c79c47)`	affected	code_commit	—
`[49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7,2a2b9d25f801afecf2f83cacce98afa8fd73e3c9)`	affected	code_commit	—
`[49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7,e3c1040252e598f7b4e33a42dc7c38519bc22428)`	affected	code_commit	—
`[49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7,9a063f96d87efc3a6cc667f8de096a3d38d74bb5)`	affected	code_commit	—

Linux

Linux Kernel

—

Version	Status	Scheme	Platform
`5.15`	affected	semver	—
`[0,5.15)`	unaffected	semver	—
`[5.15.199,5.16.0)`	unaffected	semver	—
`[6.1.162,6.2.0)`	unaffected	semver	—
`[6.6.122,6.7.0)`	unaffected	semver	—
`[6.12.68,6.13.0)`	unaffected	semver	—
`[6.18.8,6.19.0)`	unaffected	semver	—
`[6.19,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that includes the patch for IPv6 router discovery data race (consult kernel changelogs for verification).
If kernel upgrade is not immediately possible, disable or restrict acceptance of IPv6 router advertisements on untrusted interfaces using sysctl directives such as net.ipv6.conf.all.accept_ra=0 and net.ipv6.conf.default.accept_ra=0 to reduce the attack surface.
Use firewall rules to drop unsolicited ICMPv6 RA packets and monitor system logs for KCSAN data race warnings to detect potential exploitation attempts.

Generated by OpenCVE AI on April 17, 2026 at 19:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Ubuntu USN	USN-8162-1	Linux kernel (NVIDIA Tegra) vulnerabilities
Ubuntu USN	USN-8180-1	Linux kernel vulnerabilities
Ubuntu USN	USN-8180-2	Linux kernel (FIPS) vulnerabilities
Ubuntu USN	USN-8186-1	Linux kernel (Real-time) vulnerabilities
Ubuntu USN	USN-8187-1	Linux kernel (NVIDIA) vulnerabilities
Ubuntu USN	USN-8188-1	Linux kernel (HWE) vulnerabilities
Ubuntu USN	USN-8180-3	Linux kernel vulnerabilities
Ubuntu USN	USN-8180-4	Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN	USN-8180-5	Linux kernel (IBM) vulnerabilities

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/2619499169fb1c2ac4974b0f2d87767fb543582b
https://git.kernel.org/stable/c/2a2b9d25f801afecf2f83cacce98afa8fd73e3c9
https://git.kernel.org/stable/c/4630897eb1a039b5d7b737b8dc9521d9d4b568b5
https://git.kernel.org/stable/c/9a063f96d87efc3a6cc667f8de096a3d38d74bb5
https://git.kernel.org/stable/c/e3c1040252e598f7b4e33a42dc7c38519bc22428
https://git.kernel.org/stable/c/fad8f4ff7928f4d52a062ffdcffa484989c79c47
https://lore.kernel.org/linux-cve-announce/2026021409-CVE-2026-23124-2074@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23124
https://www.cve.org/CVERecord?id=CVE-2026-23124

History

Fri, 17 Apr 2026 20:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-362

Wed, 18 Mar 2026 15:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:o:linux:linux_kernel:6.19:rc1:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc2:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc3:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc4:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc5:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc6::::::
Metrics	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Mon, 16 Feb 2026 12:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026021409-CVE-2026-23124-2074@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23124 https://www.cve.org/CVERecord?id=CVE-2026-23124
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Important`

Sat, 14 Feb 2026 15:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ipv6: annotate data-race in ndisc_router_discovery() syzbot found that ndisc_router_discovery() could read and write in6_dev->ra_mtu without holding a lock [1] This looks fine, IFLA_INET6_RA_MTU is best effort. Add READ_ONCE()/WRITE_ONCE() to document the race. Note that we might also reject illegal MTU values (mtu < IPV6_MIN_MTU \|\| mtu > skb->dev->mtu) in a future patch. [1] BUG: KCSAN: data-race in ndisc_router_discovery / ndisc_router_discovery read to 0xffff888119809c20 of 4 bytes by task 25817 on cpu 1: ndisc_router_discovery+0x151d/0x1c90 net/ipv6/ndisc.c:1558 ndisc_rcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841 icmpv6_rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989 ip6_protocol_deliver_rcu+0xb2a/0x10d0 net/ipv6/ip6_input.c:438 ip6_input_finish+0xf0/0x1d0 net/ipv6/ip6_input.c:489 NF_HOOK include/linux/netfilter.h:318 [inline] ip6_input+0x5e/0x140 net/ipv6/ip6_input.c:500 ip6_mc_input+0x27c/0x470 net/ipv6/ip6_input.c:590 dst_input include/net/dst.h:474 [inline] ip6_rcv_finish+0x336/0x340 net/ipv6/ip6_input.c:79 ... write to 0xffff888119809c20 of 4 bytes by task 25816 on cpu 0: ndisc_router_discovery+0x155a/0x1c90 net/ipv6/ndisc.c:1559 ndisc_rcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841 icmpv6_rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989 ip6_protocol_deliver_rcu+0xb2a/0x10d0 net/ipv6/ip6_input.c:438 ip6_input_finish+0xf0/0x1d0 net/ipv6/ip6_input.c:489 NF_HOOK include/linux/netfilter.h:318 [inline] ip6_input+0x5e/0x140 net/ipv6/ip6_input.c:500 ip6_mc_input+0x27c/0x470 net/ipv6/ip6_input.c:590 dst_input include/net/dst.h:474 [inline] ip6_rcv_finish+0x336/0x340 net/ipv6/ip6_input.c:79 ... value changed: 0x00000000 -> 0xe5400659
Title		ipv6: annotate data-race in ndisc_router_discovery()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/2619499169fb1c2ac4974b0f2d87767fb543582b https://git.kernel.org/stable/c/2a2b9d25f801afecf2f83cacce98afa8fd73e3c9 https://git.kernel.org/stable/c/4630897eb1a039b5d7b737b8dc9521d9d4b568b5 https://git.kernel.org/stable/c/9a063f96d87efc3a6cc667f8de096a3d38d74bb5 https://git.kernel.org/stable/c/e3c1040252e598f7b4e33a42dc7c38519bc22428 https://git.kernel.org/stable/c/fad8f4ff7928f4d52a062ffdcffa484989c79c47

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-02-14T15:09:54.043Z

Updated: 2026-02-14T15:09:54.043Z

Reserved: 2026-01-13T15:37:45.970Z

Link: CVE-2026-23124

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-02-14T15:16:07.633

Modified: 2026-03-18T14:50:31.123

Link: CVE-2026-23124

Redhat

Severity : Important

Publid Date: 2026-02-14T00:00:00Z

Links: CVE-2026-23124 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-17T19:45:25Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object