PT-2026-27665 · Linux · Linux
Published
2026-03-25
·
Updated
2026-03-25
·
CVE-2026-23300
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
In the Linux kernel, the following vulnerability has been resolved:
net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop
When a standalone IPv6 nexthop object is created with a loopback device
(e.g., "ip -6 nexthop add id 100 dev lo"), fib6 nh init() misclassifies
it as a reject route. This is because nexthop objects have no destination
prefix (fc dst=::), causing fib6 is reject() to match any loopback
nexthop. The reject path skips fib nh common init(), leaving
nhc pcpu rth output unallocated. If an IPv4 route later references this
nexthop, mkroute output() dereferences NULL nhc pcpu rth output and
panics.
Simplify the check in fib6 nh init() to only match explicit reject
routes (RTF REJECT) instead of using fib6 is reject(). The loopback
promotion heuristic in fib6 is reject() is handled separately by
ip6 route info create nh(). After this change, the three cases behave
as follows:
-
Explicit reject route ("ip -6 route add unreachable 2001:db8::/64"): RTF REJECT is set, enters reject path, skips fib nh common init(). No behavior change.
-
Implicit loopback reject route ("ip -6 route add 2001:db8::/32 dev lo"): RTF REJECT is not set, takes normal path, fib nh common init() is called. ip6 route info create nh() still promotes it to reject afterward. nhc pcpu rth output is allocated but unused, which is harmless.
-
Standalone nexthop object ("ip -6 nexthop add id 100 dev lo"): RTF REJECT is not set, takes normal path, fib nh common init() is called. nhc pcpu rth output is properly allocated, fixing the crash when IPv4 routes reference this nexthop.
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Linux