Home

Description

In the Linux kernel, the following vulnerability has been resolved: ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu() l3mdev_master_dev_rcu() can return NULL when the slave device is being un-slaved from a VRF. All other callers deal with this, but we lost the fallback to loopback in ip6_rt_pcpu_alloc() -> ip6_rt_get_dev_rcu() with commit 4832c30d5458 ("net: ipv6: put host and anycast routes on device with address"). KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f] RIP: 0010:ip6_rt_pcpu_alloc (net/ipv6/route.c:1418) Call Trace: ip6_pol_route (net/ipv6/route.c:2318) fib6_rule_lookup (net/ipv6/fib6_rules.c:115) ip6_route_output_flags (net/ipv6/route.c:2607) vrf_process_v6_outbound (drivers/net/vrf.c:437) I was tempted to rework the un-slaving code to clear the flag first and insert synchronize_rcu() before we remove the upper. But looks like the explicit fallback to loopback_dev is an established pattern. And I guess avoiding the synchronize_rcu() is nice, too.

PUBLISHED Reserved 2026-01-13 | Published 2026-03-25 | Updated 2026-05-11 | Assigner Linux

Product status

Default status
unaffected

4832c30d5458387ff2533ff66fbde26ad8bb5a2d (git) before d542e2ac7f9e288d49735be0775611547ca4e0ee
affected

4832c30d5458387ff2533ff66fbde26ad8bb5a2d (git) before a73fe9f4ae84a239d5b2686f47a58c158aee2eb4
affected

4832c30d5458387ff2533ff66fbde26ad8bb5a2d (git) before 4a48fe59f29f673a3d042d679f26629a9c3e29d4
affected

4832c30d5458387ff2533ff66fbde26ad8bb5a2d (git) before 581800298313c9fd75e94985e6d37d21b7e35d34
affected

4832c30d5458387ff2533ff66fbde26ad8bb5a2d (git) before 3310fc11fc47387d1dd4759b0bc961643ea11c7f
affected

4832c30d5458387ff2533ff66fbde26ad8bb5a2d (git) before 0b5a7826020706057cc5a9d9009e667027f221ee
affected

4832c30d5458387ff2533ff66fbde26ad8bb5a2d (git) before ae88c8256547b63980770a9ea7be73a15900d27e
affected

4832c30d5458387ff2533ff66fbde26ad8bb5a2d (git) before 2ffb4f5c2ccb2fa1c049dd11899aee7967deef5a
affected

Default status
affected

4.14
affected

Any version before 4.14
unaffected

5.10.253 (semver)
unaffected

5.15.203 (semver)
unaffected

6.1.167 (semver)
unaffected

6.6.130 (semver)
unaffected

6.12.77 (semver)
unaffected

6.18.17 (semver)
unaffected

6.19.7 (semver)
unaffected

7.0 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/d542e2ac7f9e288d49735be0775611547ca4e0ee

git.kernel.org/...c/a73fe9f4ae84a239d5b2686f47a58c158aee2eb4

git.kernel.org/...c/4a48fe59f29f673a3d042d679f26629a9c3e29d4

git.kernel.org/...c/581800298313c9fd75e94985e6d37d21b7e35d34

git.kernel.org/...c/3310fc11fc47387d1dd4759b0bc961643ea11c7f

git.kernel.org/...c/0b5a7826020706057cc5a9d9009e667027f221ee

git.kernel.org/...c/ae88c8256547b63980770a9ea7be73a15900d27e

git.kernel.org/...c/2ffb4f5c2ccb2fa1c049dd11899aee7967deef5a

cve.org (CVE-2026-23304)

nvd.nist.gov (CVE-2026-23304)

Download JSON