CVE-2026-53214

In the Linux kernel, the following vulnerability has been resolved:

ipv6: Fix a potential NPD in cleanup prefix route()

addrconf get prefix route() can return the fib6 null entry sentinel entry which has a NULL fib6 table pointer. Therefore, before setting the route's expiration time, check that we are not working with this entry, as otherwise a NPD will be triggered [1].

Note that the other callers of addrconf get prefix route() are not susceptible to this bug:

[1] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] [...] Call Trace: kasan check byte (mm/kasan/common.c:573) lock acquire.part.0 (kernel/locking/lockdep.c:5842 (discriminator 1)) raw spin lock bh (kernel/locking/spinlock.c:182 (discriminator 1)) cleanup prefix route (net/ipv6/addrconf.c:1280) ipv6 del addr (net/ipv6/addrconf.c:1342) inet6 addr del.isra.0 (net/ipv6/addrconf.c:3119) inet6 rtm deladdr (net/ipv6/addrconf.c:4812) rtnetlink rcv msg (net/core/rtnetlink.c:6997) netlink rcv skb (net/netlink/af netlink.c:2555) netlink unicast (net/netlink/af netlink.c:1344) netlink sendmsg (net/netlink/af netlink.c:1899) sock sendmsg (net/socket.c:802 (discriminator 4)) sys sendmsg (net/socket.c:2698) sys sendmsg (net/socket.c:2752) sys sendmsg (net/socket.c:2784) do syscall 64 (arch/x86/entry/syscall 64.c:63 arch/x86/entry/syscall 64.c:94) entry SYSCALL 64 after hwframe (arch/x86/entry/entry 64.S:121)