CVE-2026-23124

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-23124
In the Linux kernel, the following vulnerability has been resolved: ipv6: annotate data-race in ndisc_router_discovery() syzbot found that ndisc_router_discovery() could read and write in6_dev->ra_mtu without holding a lock [1] This looks fine, IFLA_INET6_RA_MTU is best effort. Add READ_ONCE()/WRITE_ONCE() to document the race. Note that we might also reject illegal MTU values (mtu < IPV6_MIN_MTU || mtu > skb->dev->mtu) in a future patch. [1] BUG: KCSAN: data-race in ndisc_router_discovery / ndisc_router_discovery read to 0xffff888119809c20 of 4 bytes by task 25817 on cpu 1: ndisc_router_discovery+0x151d/0x1c90 net/ipv6/ndisc.c:1558 ndisc_rcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841 icmpv6_rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989 ip6_protocol_deliver_rcu+0xb2a/0x10d0 net/ipv6/ip6_input.c:438 ip6_input_finish+0xf0/0x1d0 net/ipv6/ip6_input.c:489 NF_HOOK include/linux/netfilter.h:318 [inline] ip6_input+0x5e/0x140 net/ipv6/ip6_input.c:500 ip6_mc_input+0x27c/0x470 net/ipv6/ip6_input.c:590 dst_input include/net/dst.h:474 [inline] ip6_rcv_finish+0x336/0x340 net/ipv6/ip6_input.c:79 ... write to 0xffff888119809c20 of 4 bytes by task 25816 on cpu 0: ndisc_router_discovery+0x155a/0x1c90 net/ipv6/ndisc.c:1559 ndisc_rcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841 icmpv6_rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989 ip6_protocol_deliver_rcu+0xb2a/0x10d0 net/ipv6/ip6_input.c:438 ip6_input_finish+0xf0/0x1d0 net/ipv6/ip6_input.c:489 NF_HOOK include/linux/netfilter.h:318 [inline] ip6_input+0x5e/0x140 net/ipv6/ip6_input.c:500 ip6_mc_input+0x27c/0x470 net/ipv6/ip6_input.c:590 dst_input include/net/dst.h:474 [inline] ip6_rcv_finish+0x336/0x340 net/ipv6/ip6_input.c:79 ... value changed: 0x00000000 -> 0xe5400659

5.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://git.kernel.org/stable/c/2619499169fb1c2ac4974b0f2d87767fb543582b Patch
https://git.kernel.org/stable/c/2a2b9d25f801afecf2f83cacce98afa8fd73e3c9 Patch
https://git.kernel.org/stable/c/4630897eb1a039b5d7b737b8dc9521d9d4b568b5 Patch
https://git.kernel.org/stable/c/9a063f96d87efc3a6cc667f8de096a3d38d74bb5 Patch
https://git.kernel.org/stable/c/e3c1040252e598f7b4e33a42dc7c38519bc22428 Patch
https://git.kernel.org/stable/c/fad8f4ff7928f4d52a062ffdcffa484989c79c47 Patch
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*
History

18 Mar 2026, 14:50

Type Values Removed Values Added
CWE NVD-CWE-noinfo
CPE cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 5.5
First Time Linux
Linux linux Kernel
References () https://git.kernel.org/stable/c/2619499169fb1c2ac4974b0f2d87767fb543582b - () https://git.kernel.org/stable/c/2619499169fb1c2ac4974b0f2d87767fb543582b - Patch
References () https://git.kernel.org/stable/c/2a2b9d25f801afecf2f83cacce98afa8fd73e3c9 - () https://git.kernel.org/stable/c/2a2b9d25f801afecf2f83cacce98afa8fd73e3c9 - Patch
References () https://git.kernel.org/stable/c/4630897eb1a039b5d7b737b8dc9521d9d4b568b5 - () https://git.kernel.org/stable/c/4630897eb1a039b5d7b737b8dc9521d9d4b568b5 - Patch
References () https://git.kernel.org/stable/c/9a063f96d87efc3a6cc667f8de096a3d38d74bb5 - () https://git.kernel.org/stable/c/9a063f96d87efc3a6cc667f8de096a3d38d74bb5 - Patch
References () https://git.kernel.org/stable/c/e3c1040252e598f7b4e33a42dc7c38519bc22428 - () https://git.kernel.org/stable/c/e3c1040252e598f7b4e33a42dc7c38519bc22428 - Patch
References () https://git.kernel.org/stable/c/fad8f4ff7928f4d52a062ffdcffa484989c79c47 - () https://git.kernel.org/stable/c/fad8f4ff7928f4d52a062ffdcffa484989c79c47 - Patch

18 Feb 2026, 17:52

Type Values Removed Values Added
Summary
  • (es) En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta: ipv6: anotar condición de carrera de datos en ndisc_router_discovery() syzbot encontró que ndisc_router_discovery() podía leer y escribir in6_dev-&gt;ra_mtu sin mantener un bloqueo [1] Esto parece estar bien, IFLA_INET6_RA_MTU es de mejor esfuerzo. Añadir READ_ONCE()/WRITE_ONCE() para documentar la condición de carrera. Tenga en cuenta que también podríamos rechazar valores MTU ilegales (mtu &lt; IPV6_MIN_MTU || mtu &gt; skb-&gt;dev-&gt;mtu) en un parche futuro. [1] ERROR: KCSAN: condición de carrera de datos en ndisc_router_discovery / ndisc_router_discovery lectura a 0xffff888119809c20 de 4 bytes por la tarea 25817 en la cpu 1: ndisc_router_discovery+0x151d/0x1c90 net/ipv6/ndisc.c:1558 ndisc_rcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841 icmpv6_rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989 ip6_protocol_deliver_rcu+0xb2a/0x10d0 net/ipv6/ip6_input.c:438 ip6_input_finish+0xf0/0x1d0 net/ipv6/ip6_input.c:489 NF_HOOK include/linux/netfilter.h:318 [inline] ip6_input+0x5e/0x140 net/ipv6/ip6_input.c:500 ip6_mc_input+0x27c/0x470 net/ipv6/ip6_input.c:590 dst_input include/net/dst.h:474 [inline] ip6_rcv_finish+0x336/0x340 net/ipv6/ip6_input.c:79 ... escritura a 0xffff888119809c20 de 4 bytes por la tarea 25816 en la cpu 0: ndisc_router_discovery+0x155a/0x1c90 net/ipv6/ndisc.c:1559 ndisc_rcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841 icmpv6_rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989 ip6_protocol_deliver_rcu+0xb2a/0x10d0 net/ipv6/ip6_input.c:438 ip6_input_finish+0xf0/0x1d0 net/ipv6/ip6_input.c:489 NF_HOOK include/linux/netfilter.h:318 [inline] ip6_input+0x5e/0x140 net/ipv6/ip6_input.c:500 ip6_mc_input+0x27c/0x470 net/ipv6/ip6_input.c:590 dst_input include/net/dst.h:474 [inline] ip6_rcv_finish+0x336/0x340 net/ipv6/ip6_input.c:79 ... valor cambiado: 0x00000000 -&gt; 0xe5400659

14 Feb 2026, 15:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-02-14 15:16

Updated : 2026-03-18 14:50

NVD link : CVE-2026-23124

Mitre link : CVE-2026-23124

CVE.ORG link : CVE-2026-23124

JSON object : View

Products Affected

linux

  • linux_kernel
CWE
NVD-CWE-noinfo