CVE-2026-23300 Overview
CVE-2026-23300 is a Null Pointer Dereference vulnerability in the Linux kernel's IPv6 networking subsystem. The vulnerability occurs when a standalone IPv6 nexthop object is created with a loopback device, and an IPv4 route subsequently references this nexthop. The fib6_nh_init() function misclassifies the nexthop as a reject route, causing fib_nh_common_init() to be skipped and leaving nhc_pcpu_rth_output unallocated. When __mkroute_output() later dereferences this NULL pointer, the kernel panics.
Critical Impact
This vulnerability can cause kernel panic and system crashes when IPv4 routes reference loopback IPv6 nexthop objects, leading to denial of service conditions.
Affected Products
- Linux kernel (net/ipv6 subsystem)
- Systems using IPv6 nexthop objects with loopback devices
- Network infrastructure utilizing mixed IPv4/IPv6 routing configurations
Discovery Timeline
- 2026-03-25 - CVE CVE-2026-23300 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-23300
Vulnerability Analysis
The vulnerability resides in the fib6_nh_init() function within the Linux kernel's IPv6 routing implementation. When a standalone IPv6 nexthop object is created targeting a loopback device (e.g., using ip -6 nexthop add id 100 dev lo), the function incorrectly classifies it as a reject route.
This misclassification occurs because nexthop objects have no destination prefix (fc_dst=::), which causes fib6_is_reject() to match any loopback nexthop. When the reject path is taken, the code skips the call to fib_nh_common_init(), which is responsible for allocating the nhc_pcpu_rth_output structure.
The vulnerability manifests when an IPv4 route later references this improperly initialized nexthop. The __mkroute_output() function attempts to dereference nhc_pcpu_rth_output, which remains NULL, triggering a kernel panic.
Root Cause
The root cause is an overly broad condition check in fib6_nh_init() that uses fib6_is_reject() to determine reject routes. This heuristic incorrectly matches standalone nexthop objects targeting loopback devices, even though they are not actual reject routes. The fib6_is_reject() function's loopback promotion logic was designed for a different use case and should not apply to nexthop objects.
Attack Vector
An attacker with local access and permissions to configure network routes could trigger this vulnerability by:
- Creating a standalone IPv6 nexthop object targeting the loopback device
- Creating an IPv4 route that references this nexthop object
- Triggering route lookup operations that invoke __mkroute_output()
This sequence would cause the kernel to dereference a NULL pointer, resulting in a kernel panic and denial of service. The attack requires local network configuration privileges, making it primarily a local denial of service vulnerability.
The fix simplifies the condition check in fib6_nh_init() to only match explicit reject routes (those with RTF_REJECT flag set) rather than relying on the fib6_is_reject() heuristic. This ensures that standalone nexthop objects properly initialize nhc_pcpu_rth_output through fib_nh_common_init().
Detection Methods for CVE-2026-23300
Indicators of Compromise
- Kernel panic messages containing references to __mkroute_output() or nhc_pcpu_rth_output
- System crashes when configuring IPv4 routes that reference IPv6 nexthop objects
- Crash dumps showing NULL pointer dereference in the IPv6 routing subsystem
- Unexpected system reboots on network infrastructure devices running affected kernel versions
Detection Strategies
- Monitor kernel logs for panic events related to network routing functions
- Implement crash dump analysis to identify NULL pointer dereference patterns in __mkroute_output()
- Audit network configuration scripts for commands creating IPv6 nexthop objects on loopback devices
- Deploy kernel watchdog monitoring to detect and log unexpected kernel crashes
Monitoring Recommendations
- Enable kernel crash dump collection (kdump) to capture diagnostic information
- Configure syslog monitoring for kernel oops/panic messages in routing subsystems
- Implement automated alerting for unexpected system reboots on network infrastructure
- Monitor for unusual nexthop configuration patterns involving loopback devices
How to Mitigate CVE-2026-23300
Immediate Actions Required
- Apply the kernel patches available from the official Linux kernel git repository
- Avoid creating IPv6 nexthop objects targeting loopback devices until patched
- Review existing network configurations for potentially problematic nexthop configurations
- Consider temporarily disabling IPv6 nexthop functionality if patches cannot be immediately applied
Patch Information
Multiple patches have been released to address this vulnerability across different kernel branches. The fix modifies fib6_nh_init() to check only for explicit RTF_REJECT flag instead of using the broader fib6_is_reject() heuristic. Patches are available from the following kernel git commits:
- Kernel Git Commit 21ec927
- Kernel Git Commit 8650db85
- Kernel Git Commit b299121e
- Kernel Git Commit b3b5a037
- Kernel Git Commit b5062fc2
- Kernel Git Commit f7c9f8e3
Workarounds
- Avoid creating standalone IPv6 nexthop objects on loopback devices (lo)
- Do not reference IPv6 nexthop objects from IPv4 routes until the kernel is patched
- Use explicit reject routes with RTF_REJECT flag instead of loopback nexthop configurations
- Restrict network configuration privileges to trusted administrators only
# Verify current nexthop configurations
ip -6 nexthop show
# Remove potentially problematic loopback nexthops
ip -6 nexthop del id <nexthop_id>
# Check kernel version for patch status
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
