Description
In the Linux kernel, the following vulnerability has been resolved:

ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu()

l3mdev_master_dev_rcu() can return NULL when the slave device is being
un-slaved from a VRF. All other callers deal with this, but we lost
the fallback to loopback in ip6_rt_pcpu_alloc() -> ip6_rt_get_dev_rcu()
with commit 4832c30d5458 ("net: ipv6: put host and anycast routes on
device with address").

KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f]
RIP: 0010:ip6_rt_pcpu_alloc (net/ipv6/route.c:1418)
Call Trace:
ip6_pol_route (net/ipv6/route.c:2318)
fib6_rule_lookup (net/ipv6/fib6_rules.c:115)
ip6_route_output_flags (net/ipv6/route.c:2607)
vrf_process_v6_outbound (drivers/net/vrf.c:437)

I was tempted to rework the un-slaving code to clear the flag first
and insert synchronize_rcu() before we remove the upper. But looks like
the explicit fallback to loopback_dev is an established pattern.
And I guess avoiding the synchronize_rcu() is nice, too.
Published: 2026-03-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via kernel crash
Action: Apply Patch
AI Analysis

Impact

This vulnerability is a NULL pointer dereference in the Linux kernel's IPv6 routing code, triggered when a device is un-slaved from a Virtual Routing and Forwarding (VRF) instance. The bug causes the kernel to dereference a NULL pointer during route allocation, leading to a kernel panic and a system reboot. The weakness corresponds to CWE‑476 and results in a denial of service by crashing the operating system.

Affected Systems

Any Linux system running a kernel version that includes the affected IPv6 routing code, regardless of distribution, is potentially vulnerable. The issue is tied to devices that use VRF functionality for IPv6 routing. No specific vendor or version is listed, so all kernels preceding the patch incorporating commit 4832c30d5458 are affected.

Risk and Exploitability

The CVSS score for this issue is 5.5, indicating moderate severity. An EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Exploitation would require triggering the VRF un‑slaving process, which is usually a local or privileged operation; thus the attack vector is likely local or requires elevated privileges. Overall, the risk is moderate but the probability of real‑world exploitation is low.

Generated by OpenCVE AI on March 26, 2026 at 02:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the fix (commit 4832c30d5458).
  • Reboot the system to ensure the patched kernel is running.
  • If an immediate kernel upgrade is not possible, consider disabling VRF or preventing un‑slave operations as a temporary containment.

Generated by OpenCVE AI on March 26, 2026 at 02:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
References

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu() l3mdev_master_dev_rcu() can return NULL when the slave device is being un-slaved from a VRF. All other callers deal with this, but we lost the fallback to loopback in ip6_rt_pcpu_alloc() -> ip6_rt_get_dev_rcu() with commit 4832c30d5458 ("net: ipv6: put host and anycast routes on device with address"). KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f] RIP: 0010:ip6_rt_pcpu_alloc (net/ipv6/route.c:1418) Call Trace: ip6_pol_route (net/ipv6/route.c:2318) fib6_rule_lookup (net/ipv6/fib6_rules.c:115) ip6_route_output_flags (net/ipv6/route.c:2607) vrf_process_v6_outbound (drivers/net/vrf.c:437) I was tempted to rework the un-slaving code to clear the flag first and insert synchronize_rcu() before we remove the upper. But looks like the explicit fallback to loopback_dev is an established pattern. And I guess avoiding the synchronize_rcu() is nice, too.
Title ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-18T08:57:51.949Z

Reserved: 2026-01-13T15:37:45.993Z

Link: CVE-2026-23304

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T11:16:26.180

Modified: 2026-04-18T09:16:18.170

Link: CVE-2026-23304

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23304 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:16:52Z

Weaknesses