CVE Catalog

CVE-2026-23304

MediumCVSS 5.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.12%

2th percentile - higher than 2% of all known CVEs

Summary

A NULL pointer dereference vulnerability was found in the Linux kernel's ip6_rt_get_dev_rcu() function. It occurs when a slave device is being un-slaved from a VRF, causing l3mdev_master_dev_rcu() to return NULL and leading to a system crash.

Risk Assessment

An attacker could exploit this vulnerability to cause a denial of service (DoS) by deliberately un-slaving network interfaces from VRF, resulting in kernel panic and system downtime.

Recommendation

Immediately update the Linux kernel to a version containing the fix that restores the fallback to the loopback interface when no master device is available.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu() l3mdev_master_dev_rcu() can return NULL when the slave device is being un-slaved from a VRF. All other callers deal with this, but we lost the fallback to loopback in ip6_rt_pcpu_alloc() -> ip6_rt_get_dev_rcu() with commit 4832c30d5458 ("net: ipv6: put host and anycast routes on device with address"). KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f] RIP: 0010:ip6_rt_pcpu_alloc (net/ipv6/route.c:1418) Call Trace: ip6_pol_route (net/ipv6/route.c:2318) fib6_rule_lookup (net/ipv6/fib6_rules.c:115) ip6_route_output_flags (net/ipv6/route.c:2607) vrf_process_v6_outbound (drivers/net/vrf.c:437) I was tempted to rework the un-slaving code to clear the flag first and insert synchronize_rcu() before we remove the upper. But looks like the explicit fallback to loopback_dev is an established pattern. And I guess avoiding the synchronize_rcu() is nice, too.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS