Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-23124

CVE-2026-23124: Linux Kernel Race Condition Vulnerability

CVE-2026-23124 is a race condition flaw in the Linux Kernel's IPv6 ndisc_router_discovery() function that allows concurrent read/write operations without proper locking. This article covers technical details, affected versions, impact, and mitigation strategies.

Updated:

CVE-2026-23124 Overview

CVE-2026-23124 is a data race vulnerability in the Linux kernel's IPv6 neighbor discovery subsystem. The flaw exists in the ndisc_router_discovery() function within net/ipv6/ndisc.c, where concurrent tasks can read and write the in6_dev->ra_mtu field without holding a lock. The syzbot fuzzer identified the issue using the Kernel Concurrency Sanitizer (KCSAN). The race condition affects multiple Linux kernel versions, including the 6.19 release candidates. Exploitation requires local access and can produce inconsistent IPv6 MTU state, potentially causing availability impact on affected systems.

Critical Impact

A local attacker with low privileges can trigger a concurrent read/write on in6_dev->ra_mtu through crafted IPv6 router advertisement processing, leading to availability degradation.

Affected Products

  • Linux Kernel 6.19-rc1 through 6.19-rc6
  • Linux Kernel stable branches prior to fix commits referenced in upstream advisories
  • Linux distributions shipping unpatched kernels with the IPv6 stack enabled

Discovery Timeline

  • 2026-02-14 - CVE-2026-23124 published to NVD
  • 2026-03-18 - Last updated in NVD database

Technical Details for CVE-2026-23124

Vulnerability Analysis

The vulnerability is a data race [CWE-362-class] in the IPv6 Neighbor Discovery Protocol (NDP) implementation. The ndisc_router_discovery() function processes incoming Router Advertisement (RA) messages and updates the ra_mtu member of the in6_dev structure. Two concurrent invocations of the function on different CPUs can read and write the same 4-byte ra_mtu field without serialization. KCSAN reported the race with a value transition from 0x00000000 to 0xe5400659, demonstrating an unsynchronized write observed by a concurrent reader. The kernel maintainers classified this as benign in functional terms because IFLA_INET6_RA_MTU is documented as best-effort. However, the unannotated access constitutes undefined behavior under the kernel memory model and may produce torn reads on architectures with non-atomic word access semantics.

Root Cause

The root cause is the absence of memory access annotations on a shared field accessed across multiple execution contexts. The ra_mtu field is updated whenever an IPv6 host receives a Router Advertisement containing an MTU option. Because RA processing executes in softirq context and can run concurrently on different CPUs, the load and store on in6_dev->ra_mtu are racy. The upstream fix introduces READ_ONCE() and WRITE_ONCE() annotations to document the race and prevent compiler-introduced load/store tearing.

Attack Vector

The attack vector is local, with low attack complexity and low privileges required. An attacker on the local network segment, or a local user able to inject IPv6 router advertisements through a tun/tap interface or namespace, can flood the system with crafted RA messages. Concurrent processing of these messages triggers the race on ra_mtu, which can yield inconsistent MTU state and induce availability impact in IPv6 traffic handling.

The vulnerability mechanism involves two CPUs simultaneously executing ndisc_router_discovery() at net/ipv6/ndisc.c:1558 and :1559. One CPU reads in6_dev->ra_mtu while another writes a new value sourced from the incoming RA. Without READ_ONCE()/WRITE_ONCE(), the compiler is free to split, fuse, or reorder these accesses. See the upstream patch commit fad8f4ff for the exact code change.

Detection Methods for CVE-2026-23124

Indicators of Compromise

  • KCSAN warnings in dmesg or kernel logs referencing ndisc_router_discovery and the address of in6_dev->ra_mtu.
  • Unexpected fluctuations in IPv6 path MTU values reported by ip -6 link show or ip -6 route get.
  • High volumes of inbound ICMPv6 Router Advertisement traffic from non-authorized sources on local segments.

Detection Strategies

  • Enable KCSAN on test or canary kernels to surface unannotated concurrent accesses in IPv6 code paths.
  • Monitor kernel ring buffer output for BUG: KCSAN: data-race entries originating in net/ipv6/ndisc.c.
  • Compare installed kernel build identifiers against the patched commit hashes listed in the upstream advisories.

Monitoring Recommendations

  • Track ICMPv6 type 134 (Router Advertisement) message rates at network ingress points and on host interfaces.
  • Alert on anomalous IPv6 RA sources that do not match the authorized default router set.
  • Audit Linux hosts for kernel package versions and flag systems running 6.19-rc1 through 6.19-rc6 builds.

How to Mitigate CVE-2026-23124

Immediate Actions Required

  • Identify all Linux hosts running affected kernel versions, prioritizing systems with IPv6 enabled on untrusted network segments.
  • Apply the upstream stable kernel update containing the READ_ONCE()/WRITE_ONCE() annotations for in6_dev->ra_mtu.
  • Restrict acceptance of IPv6 Router Advertisements to trusted interfaces by configuring net.ipv6.conf.<iface>.accept_ra on hosts that do not require RA-based autoconfiguration.

Patch Information

The Linux kernel maintainers resolved this issue across multiple stable branches. The fix annotates the racy access using READ_ONCE() and WRITE_ONCE() and may be followed by an additional patch rejecting illegal MTU values where mtu < IPV6_MIN_MTU or mtu > skb->dev->mtu. Patched commits include 2619499169, 2a2b9d25, 4630897eb, 9a063f96, e3c10402, and fad8f4ff.

Workarounds

  • Disable IPv6 Router Advertisement acceptance on hosts that rely on static IPv6 configuration using sysctl -w net.ipv6.conf.all.accept_ra=0.
  • Deploy RA Guard or equivalent Layer 2 filtering on switches to block unsolicited Router Advertisements from untrusted ports.
  • Limit local user access to network namespace creation utilities such as unshare and ip netns to reduce the attack surface for crafted RA injection.
bash
# Configuration example: disable RA acceptance on all interfaces
sysctl -w net.ipv6.conf.all.accept_ra=0
sysctl -w net.ipv6.conf.default.accept_ra=0

# Verify installed kernel and confirm a patched build is in use
uname -r

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne