CVE-2026-23203 Overview
A race condition vulnerability has been identified in the Linux kernel's cpsw_new network driver. The vulnerability occurs when the ndo_set_rx_mode callback is executed without proper RTNL (Route Netlink) lock handling. This issue was triggered after commit 1767bb2d47b7 removed the RTNL lock for IPV6_ADD_MEMBERSHIP and MCAST_JOIN_GROUP operations, causing an RTNL assertion failure when vlan_for_each() is called within cpsw_ndo_set_rx_mode().
Critical Impact
This vulnerability can cause kernel warnings and potential system instability on affected embedded systems, particularly BeagleBone Black and other AM33XX-based platforms running the affected Linux kernel versions.
Affected Products
- Linux kernel versions with cpsw_new network driver
- AM33XX-based systems (BeagleBone Black and similar platforms)
- Systems running kernel version 6.19.0-rc6 and potentially earlier affected versions
Discovery Timeline
- 2026-02-14 - CVE CVE-2026-23203 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2026-23203
Vulnerability Analysis
The vulnerability stems from improper synchronization in the Linux kernel's cpsw_new network driver. The ndo_set_rx_mode() callback function calls vlan_for_each(), which expects the RTNL lock to be held. However, following changes to IPv6 multicast handling that removed RTNL lock requirements for certain operations, this callback can now be invoked without the necessary lock being held.
The call trace demonstrates the issue pathway: when an IPv6 multicast group join operation (IPV6_ADD_MEMBERSHIP or MCAST_JOIN_GROUP) is performed via setsockopt(), the system traverses through do_ipv6_setsockopt() → __ipv6_sock_mc_join() → __ipv6_dev_mc_inc() → igmp6_group_added() → __dev_mc_add() → __hw_addr_ref_sync_dev() → cpsw_add_mc_addr() → vlan_for_each(), ultimately triggering the RTNL assertion failure at net/8021q/vlan_core.c:236.
Root Cause
The root cause is a lock synchronization issue introduced by commit 1767bb2d47b7 which removed the RTNL lock for IPv6 multicast join operations. The cpsw_new driver's ndo_set_rx_mode() implementation was not designed to handle being called both with and without the RTNL lock held, and directly adding rtnl_lock() in cpsw_ndo_set_rx_mode() is not viable since the function is invoked from different code paths with varying lock states.
Attack Vector
The vulnerability is triggered through local system operations, specifically when IPv6 multicast group membership is modified. While the attack vector is not fully characterized, exploitation requires:
- Access to a system with an AM33XX-based network interface using the cpsw_new driver
- Ability to perform socket operations that trigger IPv6 multicast group joins
- The rpcbind service or similar network services that perform multicast operations
The exploitation mechanism involves triggering the IPV6_ADD_MEMBERSHIP or MCAST_JOIN_GROUP socket options, which subsequently invoke the vulnerable code path without proper RTNL lock protection. This can cause kernel warnings and potentially lead to system instability or denial of service conditions on affected embedded devices.
Detection Methods for CVE-2026-23203
Indicators of Compromise
- Kernel warning messages containing "RTNL: assertion failed at net/8021q/vlan_core.c (236)"
- Call traces in kernel logs showing vlan_for_each → cpsw_add_mc_addr → __hw_addr_ref_sync_dev sequences
- System log entries from rpcbind or other multicast-enabled services triggering the vulnerability
Detection Strategies
- Monitor kernel logs (dmesg or /var/log/kern.log) for RTNL assertion failure warnings
- Implement log aggregation rules to detect call traces involving cpsw_ndo_set_rx_mode and vlan_for_each
- Deploy kernel tracing (ftrace/kprobe) on cpsw_add_mc_addr() to identify exploitation attempts
- Review system stability on AM33XX platforms after IPv6 multicast operations
Monitoring Recommendations
- Enable kernel warning notifications for production AM33XX-based systems
- Monitor network driver behavior during multicast group operations
- Track system stability metrics on BeagleBone Black and similar embedded platforms
- Review logs for unexpected kernel warnings related to RTNL lock assertions
How to Mitigate CVE-2026-23203
Immediate Actions Required
- Apply the kernel patches referenced in the kernel git commits to affected systems
- Upgrade to a patched kernel version that includes the work queue fix for cpsw_new driver
- Monitor affected systems for signs of instability until patches can be applied
- Consider temporarily disabling IPv6 multicast functionality on critical embedded systems if patching is not immediately possible
Patch Information
The fix resolves the issue by executing the actual ndo_set_rx_mode processing within a work queue, following the approach used by the icssg-prueth driver. This ensures proper synchronization without requiring the RTNL lock to be held during the initial callback invocation.
Patches are available from the Linux kernel stable tree:
Workarounds
- Defer multicast group operations to controlled maintenance windows on affected embedded systems
- Disable IPv6 multicast functionality temporarily using sysctl settings if not required for operations
- Monitor and restart affected services (like rpcbind) if kernel warnings are observed
- Consider network isolation for vulnerable embedded devices until patches are applied
# Temporary workaround: Disable IPv6 multicast on affected interface
# Note: This is a temporary measure until kernel patches are applied
sysctl -w net.ipv6.conf.eth0.disable_ipv6=1
# To re-enable after patching
sysctl -w net.ipv6.conf.eth0.disable_ipv6=0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
