CVE-2026-53012

In the Linux kernel, the following vulnerability has been resolved:

nexthop: fix IPv6 route referencing IPv4 nexthop

syzbot reported a panic [1] [2].

When an IPv6 nexthop is replaced with an IPv4 nexthop, the has v4 flag of all groups containing this nexthop is not updated. This is because nh group v4 update is only called when replacing AF INET to AF INET6, but the reverse direction (AF INET6 to AF INET) is missed.

This allows a stale has v4=false to bypass fib6 check nexthop, causing IPv6 routes to be attached to groups that effectively contain only AF INET members. Subsequent route lookups then call nexthop fib6 nh() which returns NULL for the AF INET member, leading to a NULL pointer dereference.

Fix by calling nh group v4 update whenever the family changes, not just AF INET to AF INET6.

Reproducer: # AF INET6 blackhole ip -6 nexthop add id 1 blackhole # group with has v4=false ip nexthop add id 100 group 1 # replace with AF INET (no -6), has v4 stays false ip nexthop replace id 1 blackhole # pass stale has v4 check ip -6 route add 2001:db8::/64 nhid 100 # panic ping -6 2001:db8::1

[1] https://syzkaller.appspot.com/bug?id=e17283eb2f8dcf3dd9b47fe6f67a95f71faadad0 [2] https://syzkaller.appspot.com/bug?id=8699b6ae54c9f35837d925686208402949e12ef3