CVE-2026-23300

EUVD-2026-15235

25.03.2026, 11:16

In the Linux kernel, the following vulnerability has been resolved:

net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop

When a standalone IPv6 nexthop object is created with a loopback device
(e.g., "ip -6 nexthop add id 100 dev lo"), fib6_nh_init() misclassifies
it as a reject route. This is because nexthop objects have no destination
prefix (fc_dst=::), causing fib6_is_reject() to match any loopback
nexthop. The reject path skips fib_nh_common_init(), leaving
nhc_pcpu_rth_output unallocated. If an IPv4 route later references this
nexthop, __mkroute_output() dereferences NULL nhc_pcpu_rth_output and
panics.

Simplify the check in fib6_nh_init() to only match explicit reject
routes (RTF_REJECT) instead of using fib6_is_reject(). The loopback
promotion heuristic in fib6_is_reject() is handled separately by
ip6_route_info_create_nh(). After this change, the three cases behave
as follows:

1. Explicit reject route ("ip -6 route add unreachable 2001:db8::/64"):
   RTF_REJECT is set, enters reject path, skips fib_nh_common_init().
   No behavior change.

2. Implicit loopback reject route ("ip -6 route add 2001:db8::/32 dev lo"):
   RTF_REJECT is not set, takes normal path, fib_nh_common_init() is
   called. ip6_route_info_create_nh() still promotes it to reject
   afterward. nhc_pcpu_rth_output is allocated but unused, which is
   harmless.

3. Standalone nexthop object ("ip -6 nexthop add id 100 dev lo"):
   RTF_REJECT is not set, takes normal path, fib_nh_common_init() is
   called. nhc_pcpu_rth_output is properly allocated, fixing the crash
   when IPv4 routes reference this nexthop.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.5 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 2%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	5.3 ≤ 𝑥 < 5.10.253
linux	linux_kernel	5.11 ≤ 𝑥 < 5.15.203
linux	linux_kernel	5.16 ≤ 𝑥 < 6.1.167
linux	linux_kernel	6.2 ≤ 𝑥 < 6.6.130
linux	linux_kernel	6.7 ≤ 𝑥 < 6.12.77
linux	linux_kernel	6.13 ≤ 𝑥 < 6.18.17
linux	linux_kernel	6.19 ≤ 𝑥 < 6.19.7
linux	linux_kernel	7.0:rc1
linux	linux_kernel	7.0:rc2

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.170-3 fixed
bookworm (security)	6.1.174-1 fixed
bullseye	vulnerable
bullseye (security)	5.10.257-1 fixed
forky	7.0.12-2 fixed
sid	7.0.13-1 fixed
trixie	6.12.86-1 fixed
trixie (security)	6.12.94-1 fixed

linux-6.1

bullseye (security)

6.1.174-1~deb11u1

fixed

openSUSE / SLES Releases

openSUSE Product

Release

kernel-64kb

suse enterprise desktop 15 SP7	6.4.0-150700.53.55.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.55.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.55.1 fixed

kernel-default

suse enterprise desktop 15 SP7	6.4.0-150700.53.55.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.55.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.55.1 fixed

kernel-default-base

suse enterprise desktop 15 SP7	6.4.0-150700.53.55.1.150700.17.33.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.55.1.150700.17.33.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.55.1.150700.17.33.1 fixed

kernel-obs-build

suse enterprise desktop 15 SP7	6.4.0-150700.53.55.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.55.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.55.1 fixed

kernel-source

suse enterprise desktop 15 SP7	6.4.0-150700.53.55.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.55.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.55.1 fixed

kernel-zfcpdump

suse enterprise desktop 15 SP7	6.4.0-150700.53.55.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.55.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.55.1 fixed

Amazon Linux Releases

Amazon Package

Release

bpftool

Amazon Linux 2023

1:6.1.168-202.320.amzn2023

fixed

bpftool-debuginfo

Amazon Linux 2023

1:6.1.168-202.320.amzn2023

fixed

bpftool6.12

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

bpftool6.12-debuginfo

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

bpftool6.18

Amazon Linux 2023

1:6.18.20-20.229.amzn2023

fixed

bpftool6.18-debuginfo

Amazon Linux 2023

1:6.18.20-20.229.amzn2023

fixed

kernel

Amazon Linux 2023

1:6.1.168-202.320.amzn2023

fixed

kernel-debuginfo

Amazon Linux 2023

1:6.1.168-202.320.amzn2023

fixed

kernel-debuginfo-common-aarch64

Amazon Linux 2023

1:6.1.168-202.320.amzn2023

fixed

kernel-debuginfo-common-x86_64

Amazon Linux 2023

1:6.1.168-202.320.amzn2023

fixed

kernel-devel

Amazon Linux 2023

1:6.1.168-202.320.amzn2023

fixed

kernel-headers

Amazon Linux 2023

1:6.1.168-202.320.amzn2023

fixed

kernel-libbpf

Amazon Linux 2023

1:6.1.168-202.320.amzn2023

fixed

kernel-libbpf-debuginfo

Amazon Linux 2023

1:6.1.168-202.320.amzn2023

fixed

kernel-libbpf-devel

Amazon Linux 2023

1:6.1.168-202.320.amzn2023

fixed

kernel-libbpf-static

Amazon Linux 2023

1:6.1.168-202.320.amzn2023

fixed

kernel-livepatch-6.1.168-202.320

Amazon Linux 2023

1:1.0-0.amzn2023

fixed

kernel-livepatch-6.12.77-99.140

Amazon Linux 2023

1:1.0-0.amzn2023

fixed

kernel-livepatch-6.18.20-20.229

Amazon Linux 2023

1:1.0-0.amzn2023

fixed

kernel-modules-extra

Amazon Linux 2023

1:6.1.168-202.320.amzn2023

fixed

kernel-modules-extra-common

Amazon Linux 2023

1:6.1.168-202.320.amzn2023

fixed

kernel-tools

Amazon Linux 2023

1:6.1.168-202.320.amzn2023

fixed

kernel-tools-debuginfo

Amazon Linux 2023

1:6.1.168-202.320.amzn2023

fixed

kernel-tools-devel

Amazon Linux 2023

1:6.1.168-202.320.amzn2023

fixed

kernel6.12

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

kernel6.12-debuginfo

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

kernel6.12-debuginfo-common-aarch64

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

kernel6.12-debuginfo-common-x86_64

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

kernel6.12-devel

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

kernel6.12-headers

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

kernel6.12-libbpf

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

kernel6.12-libbpf-debuginfo

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

kernel6.12-libbpf-devel

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

kernel6.12-libbpf-static

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

kernel6.12-modules-extra

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

kernel6.12-modules-extra-common

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

kernel6.12-tools

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

kernel6.12-tools-debuginfo

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

kernel6.12-tools-devel

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

kernel6.18

Amazon Linux 2023

1:6.18.20-20.229.amzn2023

fixed

kernel6.18-debuginfo

Amazon Linux 2023

1:6.18.20-20.229.amzn2023

fixed

kernel6.18-debuginfo-common-aarch64

Amazon Linux 2023

1:6.18.20-20.229.amzn2023

fixed

kernel6.18-debuginfo-common-x86_64

Amazon Linux 2023

1:6.18.20-20.229.amzn2023

fixed

kernel6.18-devel

Amazon Linux 2023

1:6.18.20-20.229.amzn2023

fixed

kernel6.18-headers

Amazon Linux 2023

1:6.18.20-20.229.amzn2023

fixed

kernel6.18-libbpf

Amazon Linux 2023

1:6.18.20-20.229.amzn2023

fixed

kernel6.18-libbpf-debuginfo

Amazon Linux 2023

1:6.18.20-20.229.amzn2023

fixed

kernel6.18-libbpf-devel

Amazon Linux 2023

1:6.18.20-20.229.amzn2023

fixed

kernel6.18-libbpf-static

Amazon Linux 2023

1:6.18.20-20.229.amzn2023

fixed

kernel6.18-modules-extra

Amazon Linux 2023

1:6.18.20-20.229.amzn2023

fixed

kernel6.18-modules-extra-common

Amazon Linux 2023

1:6.18.20-20.229.amzn2023

fixed

kernel6.18-tools

Amazon Linux 2023

1:6.18.20-20.229.amzn2023

fixed

kernel6.18-tools-debuginfo

Amazon Linux 2023

1:6.18.20-20.229.amzn2023

fixed

kernel6.18-tools-devel

Amazon Linux 2023

1:6.18.20-20.229.amzn2023

fixed

perf

Amazon Linux 2023

1:6.1.168-202.320.amzn2023

fixed

perf-debuginfo

Amazon Linux 2023

1:6.1.168-202.320.amzn2023

fixed

perf6.12

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

perf6.12-debuginfo

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

perf6.18

Amazon Linux 2023

1:6.18.20-20.229.amzn2023

fixed

perf6.18-debuginfo

Amazon Linux 2023

1:6.18.20-20.229.amzn2023

fixed

python3-perf

Amazon Linux 2023

1:6.1.168-202.320.amzn2023

fixed

python3-perf-debuginfo

Amazon Linux 2023

1:6.1.168-202.320.amzn2023

fixed

python3-perf6.12

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

python3-perf6.12-debuginfo

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

python3-perf6.18

Amazon Linux 2023

1:6.18.20-20.229.amzn2023

fixed

python3-perf6.18-debuginfo

Amazon Linux 2023

1:6.18.20-20.229.amzn2023

fixed

Azure Linux Releases

Azure Package

Release

kernel

Azure Linux 3.0

0:6.6.130.1-1.azl3

fixed

Common Weakness Enumeration

CWE-476 - NULL Pointer Dereference
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

References

https://git.kernel.org/stable/c/21ec92774d1536f71bdc90b0e3d052eff99cf093

https://git.kernel.org/stable/c/607e68c1b7c5a30c795571be1906d716e989a644

https://git.kernel.org/stable/c/8650db85b4259d2885d2a80fbc2317ce24194133

https://git.kernel.org/stable/c/b299121e7453d23faddf464087dff513a495b4fc

https://git.kernel.org/stable/c/b3b5a037d520afe3d5276e653bc0ff516bbda34c

https://git.kernel.org/stable/c/b5062fc2150614c9ea8a611c2e0cb6e047ebfa3a

https://git.kernel.org/stable/c/c11d7c56c2076ee9cd72004f1976fe0734df2ae9

https://git.kernel.org/stable/c/f7c9f8e3607440fe39300efbaf46cf7b5eecb23f