CVE-2026-23124 Overview
A data race vulnerability has been identified in the Linux kernel's IPv6 implementation, specifically within the ndisc_router_discovery() function. This vulnerability was discovered by syzbot and involves concurrent read and write operations to in6_dev->ra_mtu without proper locking mechanisms, leading to a KCSAN (Kernel Concurrency Sanitizer) reported data race condition.
The vulnerability occurs in the Neighbor Discovery (ND) protocol implementation used for IPv6 Router Advertisement processing. When multiple tasks process router discovery messages simultaneously, they can access and modify the ra_mtu field concurrently, resulting in undefined behavior and potential system instability.
Critical Impact
The data race in ndisc_router_discovery() could lead to inconsistent MTU values being applied to IPv6 network interfaces, potentially causing network connectivity issues or system instability on multi-core systems processing high volumes of IPv6 Router Advertisements.
Affected Products
- Linux kernel (multiple versions with IPv6 ndisc implementation)
- Systems running Linux with IPv6 networking enabled
- Multi-core systems processing IPv6 Router Advertisement messages
Discovery Timeline
- 2026-02-14 - CVE-2026-23124 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2026-23124
Vulnerability Analysis
This vulnerability is a race condition in the Linux kernel's IPv6 Neighbor Discovery implementation. The ndisc_router_discovery() function, located in net/ipv6/ndisc.c, processes incoming Router Advertisement messages to configure IPv6 network parameters, including the MTU (Maximum Transmission Unit) value advertised by routers.
The race condition occurs when two or more CPU cores simultaneously execute ndisc_router_discovery() for the same network interface. One task may be reading the in6_dev->ra_mtu value at line 1558 while another task is writing to it at line 1559, without any synchronization primitives protecting these operations. The KCSAN report shows the value changing from 0x00000000 to 0xe5400659 during the race, indicating corruption of the MTU value.
While the impact is characterized as "best effort" since IFLA_INET6_RA_MTU handling is not critical to system security, the race condition could result in incorrect MTU values being applied, potentially affecting IPv6 network performance or connectivity.
Root Cause
The root cause of this vulnerability is the absence of proper synchronization when accessing the in6_dev->ra_mtu field in the ndisc_router_discovery() function. The code performs both read and write operations on this shared data structure without holding a lock or using atomic operations.
The fix involves adding READ_ONCE() and WRITE_ONCE() macros to document the intentional data race and ensure the compiler does not optimize the memory accesses in unexpected ways. These macros provide compiler barriers that prevent problematic optimizations while acknowledging that the race is benign in this specific context.
Attack Vector
The attack vector for this vulnerability requires network access to send IPv6 Router Advertisement messages to a vulnerable system. The exploitation scenario involves:
- An attacker on the same network segment (or with the ability to inject IPv6 RA packets)
- Sending multiple Router Advertisement messages simultaneously
- Targeting multi-core systems where parallel processing of RA messages can trigger the race
The practical exploitability is limited as the race condition primarily affects MTU value consistency rather than providing direct code execution or privilege escalation capabilities. The vulnerability is more likely to cause system instability or network performance degradation rather than security compromise.
Detection Methods for CVE-2026-23124
Indicators of Compromise
- KCSAN kernel warnings in system logs referencing ndisc_router_discovery data-race
- Kernel messages showing "BUG: KCSAN: data-race in ndisc_router_discovery / ndisc_router_discovery"
- Unexpected IPv6 MTU values on network interfaces (ip -6 addr show showing inconsistent MTU)
- Network connectivity issues on IPv6-enabled interfaces following high volumes of Router Advertisements
Detection Strategies
- Monitor kernel logs for KCSAN data-race warnings involving net/ipv6/ndisc.c
- Implement network monitoring to detect unusual volumes of IPv6 Router Advertisement packets
- Use kernel debugging tools like KCSAN on test systems to identify race conditions
- Deploy SentinelOne agents to monitor for kernel anomalies and memory access violations
Monitoring Recommendations
- Enable KCSAN in development and testing environments to detect similar race conditions
- Monitor system stability metrics on production systems with heavy IPv6 traffic
- Track IPv6 interface MTU values for unexpected changes or inconsistencies
- Review kernel logs regularly for networking-related warnings and errors
How to Mitigate CVE-2026-23124
Immediate Actions Required
- Update the Linux kernel to a patched version containing the READ_ONCE()/WRITE_ONCE() fixes
- Review kernel commit patches for the specific kernel version in use
- Consider implementing IPv6 RA rate limiting on network boundaries to reduce exposure
- Monitor systems for signs of network instability related to IPv6 configuration
Patch Information
Multiple kernel patches have been released to address this vulnerability. The fix adds READ_ONCE() and WRITE_ONCE() annotations to properly document and handle the race condition in ndisc_router_discovery(). The patches are available through the following kernel commits:
- Kernel Commit Security Update 1
- Kernel Commit Security Update 2
- Kernel Commit Security Update 3
- Kernel Commit Security Update 4
- Kernel Commit Security Update 5
- Kernel Commit Security Update 6
Workarounds
- Implement IPv6 Router Advertisement filtering at network boundaries using ip6tables or firewall rules
- Disable IPv6 on systems where it is not required: sysctl -w net.ipv6.conf.all.disable_ipv6=1
- Configure static IPv6 MTU values to avoid relying on Router Advertisement MTU updates
- Limit IPv6 RA acceptance using sysctl -w net.ipv6.conf.all.accept_ra=0 on systems with static configuration
# Configuration example - Disable IPv6 Router Advertisement acceptance
sysctl -w net.ipv6.conf.all.accept_ra=0
sysctl -w net.ipv6.conf.default.accept_ra=0
# Make changes persistent across reboots
echo "net.ipv6.conf.all.accept_ra = 0" >> /etc/sysctl.conf
echo "net.ipv6.conf.default.accept_ra = 0" >> /etc/sysctl.conf
# Alternative: Filter ICMPv6 Router Advertisements at firewall level
ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
