CVE-2026-23200 Overview
A vulnerability has been discovered in the Linux kernel's IPv6 routing subsystem that causes a kernel BUG when adding IPv6 routes due to an ECMP (Equal-Cost Multi-Path) sibling count mismatch. The flaw exists in the fib6_add_rt2node() function and was introduced by commit f72514b3c569 which added logic to clear RTF_ADDRCONF from existing routes when a static route with the same nexthop is added.
The vulnerability occurs when RTF_ADDRCONF is cleared from a route that has a gateway, causing that route to become incorrectly eligible for ECMP routing. Because this route was never added to the fib6_siblings list, a mismatch develops between the sibling count computed by iterating the fib6_next chain and the actual siblings in the fib6_siblings list. When a subsequent ECMP route is added, the kernel triggers a BUG_ON(sibling->fib6_nsiblings != rt->fib6_nsiblings) crash.
Critical Impact
Local attackers can trigger a kernel BUG (denial of service) by manipulating IPv6 routing entries, potentially causing system instability or crashes in network infrastructure.
Affected Products
- Linux Kernel (IPv6 networking subsystem)
- Systems running kernels with commit f72514b3c569 applied
- Network infrastructure and servers with IPv6 routing enabled
Discovery Timeline
- 2026-02-14 - CVE CVE-2026-23200 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2026-23200
Vulnerability Analysis
The vulnerability resides in the Linux kernel's IPv6 FIB (Forwarding Information Base) implementation, specifically in how the kernel manages ECMP route siblings. The root cause is a logic error in the handling of the RTF_ADDRCONF flag clearing operation.
When commit f72514b3c569 was introduced, it added functionality to clear RTF_ADDRCONF from existing routes when a static route with the same nexthop is added. However, this change did not account for routes that have a gateway configured. The rt6_qualify_for_ecmp() function requires fib_nh_gw_family to be set for ECMP eligibility, meaning routes with gateways can qualify for ECMP.
The issue manifests as follows:
- An existing route with a gateway has RTF_ADDRCONF set
- A static route with the same nexthop is added
- RTF_ADDRCONF is cleared from the existing route
- The route now qualifies for ECMP via rt6_qualify_for_ecmp()
- However, this route was never added to the fib6_siblings list
- A count mismatch occurs between fib6_next chain iteration and fib6_siblings list
- Adding another ECMP route triggers BUG_ON() in fib6_add_rt2node() at line 1217 of net/ipv6/ip6_fib.c
Root Cause
The root cause is improper state management in the IPv6 routing code when clearing the RTF_ADDRCONF flag. The original commit did not consider that clearing this flag on routes with gateways would make them ECMP-eligible without properly integrating them into the ECMP sibling tracking structures. This represents a logic error in the route flag management that breaks internal consistency assumptions in the FIB6 subsystem.
Attack Vector
An attacker with local access to the system and sufficient privileges to manipulate IPv6 routing tables could exploit this vulnerability. The attack involves:
- Creating an IPv6 route with a gateway that has RTF_ADDRCONF set (typically from Router Advertisement)
- Adding a static route with the same nexthop to trigger the RTF_ADDRCONF clearing logic
- Adding another ECMP route to trigger the sibling count mismatch
- The kernel hits the BUG_ON() assertion, causing a kernel panic or system crash
The vulnerability was discovered by syzbot, indicating it can be triggered through various routing manipulation sequences. The kernel crash trace shows the call path through sock_ioctl → inet6_ioctl → ipv6_route_ioctl → ip6_route_add → fib6_add → fib6_add_rt2node.
Detection Methods for CVE-2026-23200
Indicators of Compromise
- Kernel crash logs referencing fib6_add_rt2node+0x3433/0x3470 net/ipv6/ip6_fib.c:1217
- System instability following IPv6 route manipulation operations
- Kernel oops messages with "invalid opcode: 0000" and references to ECMP siblings
- Unexpected system reboots on network infrastructure handling IPv6 traffic
Detection Strategies
- Monitor kernel logs for BUG_ON triggers in net/ipv6/ip6_fib.c
- Implement alerting on kernel panic events related to IPv6 routing subsystem
- Track routing table modifications for suspicious patterns of static route additions
- Use kernel crash dump analysis to identify exploitation attempts
Monitoring Recommendations
- Enable kernel crash dump collection for post-incident analysis
- Monitor for unusual ioctl calls to IPv6 routing interfaces
- Implement audit logging for routing table modifications
- Deploy system stability monitoring on network infrastructure nodes
How to Mitigate CVE-2026-23200
Immediate Actions Required
- Apply the latest kernel patches from upstream Linux kernel stable branches
- Monitor systems for signs of instability related to IPv6 routing
- Consider restricting IPv6 route manipulation privileges to essential users only
- Review routing configurations for potential problematic state combinations
Patch Information
The vulnerability has been fixed in the Linux kernel. The fix modifies the logic to only clear RTF_ADDRCONF when the existing route does not have a gateway. Routes without a gateway cannot qualify for ECMP anyway (since rt6_qualify_for_ecmp() requires fib_nh_gw_family), so clearing RTF_ADDRCONF on them is safe and matches the original intent.
Multiple patch commits are available:
- Kernel Git Commit 50b7c7a2
- Kernel Git Commit b8ad2d53
- Kernel Git Commit bbf4a17a
- Kernel Git Commit d8143c54
Workarounds
- Restrict access to IPv6 routing manipulation interfaces using appropriate permissions
- Disable IPv6 on systems where it is not required as a temporary measure
- Implement network segmentation to limit exposure of vulnerable systems
- Monitor and alert on routing table changes to detect potential exploitation attempts
# Configuration example
# Temporarily disable IPv6 if not required (not recommended for production)
# Add to /etc/sysctl.conf or /etc/sysctl.d/99-disable-ipv6.conf
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
# Apply changes
sysctl -p
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
