CVE-2026-23300 - Vulnerability Details

- net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop

Description

In the Linux kernel, the following vulnerability has been resolved:

net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop

When a standalone IPv6 nexthop object is created with a loopback device
(e.g., "ip -6 nexthop add id 100 dev lo"), fib6_nh_init() misclassifies
it as a reject route. This is because nexthop objects have no destination
prefix (fc_dst=::), causing fib6_is_reject() to match any loopback
nexthop. The reject path skips fib_nh_common_init(), leaving
nhc_pcpu_rth_output unallocated. If an IPv4 route later references this
nexthop, __mkroute_output() dereferences NULL nhc_pcpu_rth_output and
panics.

Simplify the check in fib6_nh_init() to only match explicit reject
routes (RTF_REJECT) instead of using fib6_is_reject(). The loopback
promotion heuristic in fib6_is_reject() is handled separately by
ip6_route_info_create_nh(). After this change, the three cases behave
as follows:

1. Explicit reject route ("ip -6 route add unreachable 2001:db8::/64"):
RTF_REJECT is set, enters reject path, skips fib_nh_common_init().
No behavior change.

2. Implicit loopback reject route ("ip -6 route add 2001:db8::/32 dev lo"):
RTF_REJECT is not set, takes normal path, fib_nh_common_init() is
called. ip6_route_info_create_nh() still promotes it to reject
afterward. nhc_pcpu_rth_output is allocated but unused, which is
harmless.

3. Standalone nexthop object ("ip -6 nexthop add id 100 dev lo"):
RTF_REJECT is not set, takes normal path, fib_nh_common_init() is
called. nhc_pcpu_rth_output is properly allocated, fixing the crash
when IPv4 routes reference this nexthop.

Published: 2026-03-25

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the Linux kernel’s IPv6 routing code and triggers a panic when an IPv4 route references a loopback‑only IPv6 nexthop object. The panic occurs because the kernel misclassifies the standalone IPv6 nexthop as a reject route, skipping essential initialization and later dereferencing a NULL pointer. In practice, this leads to a full system crash, causing a loss of availability for affected hosts. The weakness is categorized as CWE‑909, an improper handling of an array index or pointer manipulation leading to a crash.

Affected Systems

This issue affects all Linux kernel builds that include the routing code, as indicated by the vendor entry for Linux:Linux and the generic CPE string for Linux kernels. No specific version range is listed in the CNA data, so any kernel version before the fix in commit 21ec9277 shall be considered vulnerable. The affected devices are those running a Linux kernel that has not been updated to incorporate the patch. The problem occurs only when a loopback device is used as a next‑hop for an IPv4 route via a standalone IPv6 nexthop object.

Risk and Exploitability

The CVSS score of 5.5 classifies the vulnerability as moderate, but the EPSS score indicates a very low probability of exploitation (<1%). The kernel crash is a denial‑of‑service attack, generally requiring the ability to create or modify routing entries. This capability is usually restricted to privileged users; remote exploitation is unlikely. The risk is therefore limited to insiders or attackers who have gained local or network‑configuration privileges. The absence of the vulnerability from the CISA KEV catalog further suggests that it has not been widely exploited in the wild.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`493ced1ac47c48bb86d9d4e8e87df8592be85a0e`	affected	< 607e68c1b7c5a30c795571be1906d716e989a644
`493ced1ac47c48bb86d9d4e8e87df8592be85a0e`	affected	< c11d7c56c2076ee9cd72004f1976fe0734df2ae9
`493ced1ac47c48bb86d9d4e8e87df8592be85a0e`	affected	< b5062fc2150614c9ea8a611c2e0cb6e047ebfa3a
`493ced1ac47c48bb86d9d4e8e87df8592be85a0e`	affected	< b299121e7453d23faddf464087dff513a495b4fc
`493ced1ac47c48bb86d9d4e8e87df8592be85a0e`	affected	< f7c9f8e3607440fe39300efbaf46cf7b5eecb23f
`493ced1ac47c48bb86d9d4e8e87df8592be85a0e`	affected	< b3b5a037d520afe3d5276e653bc0ff516bbda34c
`493ced1ac47c48bb86d9d4e8e87df8592be85a0e`	affected	< 8650db85b4259d2885d2a80fbc2317ce24194133
`493ced1ac47c48bb86d9d4e8e87df8592be85a0e`	affected	< 21ec92774d1536f71bdc90b0e3d052eff99cf093

Linux

affected

Version	Status	Constraints
`5.3`	affected	—
`0`	unaffected	< 5.3
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.167`	unaffected	≤ 6.1.*
`6.6.130`	unaffected	≤ 6.6.*
`6.12.77`	unaffected	≤ 6.12.*
`6.18.17`	unaffected	≤ 6.18.*
`6.19.7`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[493ced1ac47c48bb86d9d4e8e87df8592be85a0e,b5062fc2150614c9ea8a611c2e0cb6e047ebfa3a)`	affected	code_commit	—
`[493ced1ac47c48bb86d9d4e8e87df8592be85a0e,b299121e7453d23faddf464087dff513a495b4fc)`	affected	code_commit	—
`[493ced1ac47c48bb86d9d4e8e87df8592be85a0e,f7c9f8e3607440fe39300efbaf46cf7b5eecb23f)`	affected	code_commit	—
`[493ced1ac47c48bb86d9d4e8e87df8592be85a0e,b3b5a037d520afe3d5276e653bc0ff516bbda34c)`	affected	code_commit	—
`[493ced1ac47c48bb86d9d4e8e87df8592be85a0e,8650db85b4259d2885d2a80fbc2317ce24194133)`	affected	code_commit	—
`[493ced1ac47c48bb86d9d4e8e87df8592be85a0e,21ec92774d1536f71bdc90b0e3d052eff99cf093)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.3`	affected	generic	—
`[0,5.3)`	unaffected	generic	—
`[6.1.167,6.2.0)`	unaffected	semver	—
`[6.6.130,6.7.0)`	unaffected	semver	—
`[6.12.77,6.13.0)`	unaffected	semver	—
`[6.18.17,6.19.0)`	unaffected	semver	—
`[6.19.7,6.20.0)`	unaffected	semver	—
`[7.0-rc3,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that includes the patch for this route handling bug

Generated by OpenCVE AI on March 26, 2026 at 14:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00032.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/21ec92774d1536f71bdc90b0e3d052eff99cf093
https://git.kernel.org/stable/c/607e68c1b7c5a30c795571be1906d716e989a644
https://git.kernel.org/stable/c/8650db85b4259d2885d2a80fbc2317ce24194133
https://git.kernel.org/stable/c/b299121e7453d23faddf464087dff513a495b4fc
https://git.kernel.org/stable/c/b3b5a037d520afe3d5276e653bc0ff516bbda34c
https://git.kernel.org/stable/c/b5062fc2150614c9ea8a611c2e0cb6e047ebfa3a
https://git.kernel.org/stable/c/c11d7c56c2076ee9cd72004f1976fe0734df2ae9
https://git.kernel.org/stable/c/f7c9f8e3607440fe39300efbaf46cf7b5eecb23f
https://lore.kernel.org/linux-cve-announce/2026032526-CVE-2026-23300-9bc4@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23300
https://www.cve.org/CVERecord?id=CVE-2026-23300

History

Sat, 18 Apr 2026 09:15:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/607e68c1b7c5a30c795571be1906d716e989a644 https://git.kernel.org/stable/c/c11d7c56c2076ee9cd72004f1976fe0734df2ae9

Thu, 26 Mar 2026 12:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-476

Thu, 26 Mar 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-909
References		https://lore.kernel.org/linux-cve-announce/2026032526-CVE-2026-23300-9bc4@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23300 https://www.cve.org/CVERecord?id=CVE-2026-23300
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Wed, 25 Mar 2026 22:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476

Wed, 25 Mar 2026 10:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop When a standalone IPv6 nexthop object is created with a loopback device (e.g., "ip -6 nexthop add id 100 dev lo"), fib6_nh_init() misclassifies it as a reject route. This is because nexthop objects have no destination prefix (fc_dst=::), causing fib6_is_reject() to match any loopback nexthop. The reject path skips fib_nh_common_init(), leaving nhc_pcpu_rth_output unallocated. If an IPv4 route later references this nexthop, __mkroute_output() dereferences NULL nhc_pcpu_rth_output and panics. Simplify the check in fib6_nh_init() to only match explicit reject routes (RTF_REJECT) instead of using fib6_is_reject(). The loopback promotion heuristic in fib6_is_reject() is handled separately by ip6_route_info_create_nh(). After this change, the three cases behave as follows: 1. Explicit reject route ("ip -6 route add unreachable 2001:db8::/64"): RTF_REJECT is set, enters reject path, skips fib_nh_common_init(). No behavior change. 2. Implicit loopback reject route ("ip -6 route add 2001:db8::/32 dev lo"): RTF_REJECT is not set, takes normal path, fib_nh_common_init() is called. ip6_route_info_create_nh() still promotes it to reject afterward. nhc_pcpu_rth_output is allocated but unused, which is harmless. 3. Standalone nexthop object ("ip -6 nexthop add id 100 dev lo"): RTF_REJECT is not set, takes normal path, fib_nh_common_init() is called. nhc_pcpu_rth_output is properly allocated, fixing the crash when IPv4 routes reference this nexthop.
Title		net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/21ec92774d1536f71bdc90b0e3d052eff99cf093 https://git.kernel.org/stable/c/8650db85b4259d2885d2a80fbc2317ce24194133 https://git.kernel.org/stable/c/b299121e7453d23faddf464087dff513a495b4fc https://git.kernel.org/stable/c/b3b5a037d520afe3d5276e653bc0ff516bbda34c https://git.kernel.org/stable/c/b5062fc2150614c9ea8a611c2e0cb6e047ebfa3a https://git.kernel.org/stable/c/f7c9f8e3607440fe39300efbaf46cf7b5eecb23f

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-03-25T10:26:56.138Z

Updated: 2026-04-18T08:57:47.517Z

Reserved: 2026-01-13T15:37:45.993Z

Link: CVE-2026-23300

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-03-25T11:16:25.623

Modified: 2026-04-18T09:16:17.753

Link: CVE-2026-23300

Redhat

Severity : Moderate

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23300 - Bugzilla

OpenCVE Enrichment

Updated: 2026-03-27T09:50:06Z

Weaknesses

CWE-909

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object