CVE-2026-23304 Overview
A NULL pointer dereference vulnerability has been identified in the Linux kernel's IPv6 routing subsystem. The vulnerability exists in the ip6_rt_get_dev_rcu() function where l3mdev_master_dev_rcu() can return NULL when a slave device is being un-slaved from a VRF (Virtual Routing and Forwarding) domain. This condition was introduced when the fallback to loopback device was inadvertently removed in a prior commit.
Critical Impact
This vulnerability can cause kernel crashes (denial of service) when IPv6 routing operations occur during VRF device un-slaving operations, potentially affecting system availability in environments utilizing VRF for network segmentation.
Affected Products
- Linux Kernel (versions with commit 4832c30d5458 "net: ipv6: put host and anycast routes on device with address")
- Systems utilizing VRF (Virtual Routing and Forwarding) with IPv6 networking
- Network devices and servers running affected kernel versions
Discovery Timeline
- 2026-03-25 - CVE-2026-23304 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-23304
Vulnerability Analysis
This vulnerability is a NULL pointer dereference that occurs in the Linux kernel's IPv6 routing code path. The issue manifests in ip6_rt_get_dev_rcu() when called from ip6_rt_pcpu_alloc() during per-CPU route allocation for IPv6 traffic.
When a network device is being un-slaved from a VRF, the l3mdev_master_dev_rcu() function can legitimately return NULL. While other callers in the kernel properly handle this NULL case by falling back to the loopback device, this specific code path lost that fallback mechanism after commit 4832c30d5458 ("net: ipv6: put host and anycast routes on device with address") was introduced.
The vulnerability triggers during IPv6 route lookups when the system attempts to process outbound traffic through a VRF interface that is in the process of being reconfigured or removed.
Root Cause
The root cause is a missing NULL pointer check and fallback mechanism in ip6_rt_get_dev_rcu(). The function l3mdev_master_dev_rcu() can return NULL during device un-slaving operations, but the calling code does not handle this case properly. The original fallback to loopback_dev was removed in a prior commit, creating a race condition window where a NULL dereference can occur.
The KASAN (Kernel Address Sanitizer) output indicates the NULL pointer dereference occurs at memory address range 0x0000000000000108-0x000000000000010f, which corresponds to accessing a field offset within a NULL device structure pointer.
Attack Vector
The attack vector involves triggering VRF configuration changes while IPv6 routing operations are in progress. The vulnerable call trace is as follows:
ip6_rt_pcpu_alloc (net/ipv6/route.c:1418)
└── ip6_pol_route (net/ipv6/route.c:2318)
└── fib6_rule_lookup (net/ipv6/fib6_rules.c:115)
└── ip6_route_output_flags (net/ipv6/route.c:2607)
└── vrf_process_v6_outbound (drivers/net/vrf.c:437)
An attacker with sufficient privileges to modify network device configurations could potentially trigger this condition to cause a kernel panic, resulting in denial of service. The vulnerability requires local access or the ability to remotely trigger VRF reconfiguration operations.
Detection Methods for CVE-2026-23304
Indicators of Compromise
- Kernel panic or oops messages containing references to ip6_rt_get_dev_rcu or ip6_rt_pcpu_alloc
- KASAN reports indicating null-ptr-deref in the IPv6 routing code path at net/ipv6/route.c:1418
- System crashes or unexpected reboots correlating with VRF configuration changes
- Kernel log entries showing call traces through vrf_process_v6_outbound and ip6_route_output_flags
Detection Strategies
- Monitor kernel logs for NULL pointer dereference messages in the IPv6 routing subsystem
- Enable KASAN in development/testing environments to detect this class of vulnerability
- Audit VRF configuration change events for timing correlation with system instability
- Implement kernel tracing on ip6_rt_pcpu_alloc and related functions during VRF operations
Monitoring Recommendations
- Configure centralized logging to capture kernel oops and panic messages across all affected systems
- Set up alerts for kernel crashes that contain IPv6 routing stack references
- Monitor system uptime and unexpected restart patterns in environments using VRF
- Deploy kernel live patching solutions to enable rapid remediation without service interruption
How to Mitigate CVE-2026-23304
Immediate Actions Required
- Apply the kernel patches provided in the official Linux kernel git repository
- Schedule maintenance windows to reboot systems after kernel updates
- Consider temporarily avoiding VRF reconfiguration operations on production systems until patched
- Review network architecture to identify systems using VRF with IPv6 that may be affected
Patch Information
The Linux kernel development team has released patches to address this vulnerability. The fix restores the fallback to loopback_dev when l3mdev_master_dev_rcu() returns NULL, consistent with the established pattern used by other callers in the codebase.
Patches are available from the following kernel git commits:
- Commit 0b5a7826020706057cc5a9d9009e667027f221ee
- Commit 2ffb4f5c2ccb2fa1c049dd11899aee7967deef5a
- Commit 3310fc11fc47387d1dd4759b0bc961643ea11c7f
- Commit 4a48fe59f29f673a3d042d679f26629a9c3e29d4
- Commit 581800298313c9fd75e94985e6d37d21b7e35d34
- Commit ae88c8256547b63980770a9ea7be73a15900d27e
Workarounds
- Avoid VRF configuration changes on production systems until patches can be applied
- If possible, disable IPv6 on systems where it is not required to reduce exposure
- Implement network segmentation to limit access to VRF management interfaces
- Consider using kernel live patching to apply fixes without requiring immediate reboots
# Check current kernel version for vulnerability assessment
uname -r
# Verify VRF module usage on the system
lsmod | grep vrf
# Check if IPv6 is enabled on VRF interfaces
ip -6 route show vrf all
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
