CVE-2026-23200 (GCVE-0-2026-23200)

Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-02-14 16:27
VLAI?
Title
ipv6: Fix ECMP sibling count mismatch when clearing RTF_ADDRCONF
Summary
In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix ECMP sibling count mismatch when clearing RTF_ADDRCONF syzbot reported a kernel BUG in fib6_add_rt2node() when adding an IPv6 route. [0] Commit f72514b3c569 ("ipv6: clear RA flags when adding a static route") introduced logic to clear RTF_ADDRCONF from existing routes when a static route with the same nexthop is added. However, this causes a problem when the existing route has a gateway. When RTF_ADDRCONF is cleared from a route that has a gateway, that route becomes eligible for ECMP, i.e. rt6_qualify_for_ecmp() returns true. The issue is that this route was never added to the fib6_siblings list. This leads to a mismatch between the following counts: - The sibling count computed by iterating fib6_next chain, which includes the newly ECMP-eligible route - The actual siblings in fib6_siblings list, which does not include that route When a subsequent ECMP route is added, fib6_add_rt2node() hits BUG_ON(sibling->fib6_nsiblings != rt->fib6_nsiblings) because the counts don't match. Fix this by only clearing RTF_ADDRCONF when the existing route does not have a gateway. Routes without a gateway cannot qualify for ECMP anyway (rt6_qualify_for_ecmp() requires fib_nh_gw_family), so clearing RTF_ADDRCONF on them is safe and matches the original intent of the commit. [0]: kernel BUG at net/ipv6/ip6_fib.c:1217! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 0 UID: 0 PID: 6010 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 RIP: 0010:fib6_add_rt2node+0x3433/0x3470 net/ipv6/ip6_fib.c:1217 [...] Call Trace: <TASK> fib6_add+0x8da/0x18a0 net/ipv6/ip6_fib.c:1532 __ip6_ins_rt net/ipv6/route.c:1351 [inline] ip6_route_add+0xde/0x1b0 net/ipv6/route.c:3946 ipv6_route_ioctl+0x35c/0x480 net/ipv6/route.c:4571 inet6_ioctl+0x219/0x280 net/ipv6/af_inet6.c:577 sock_do_ioctl+0xdc/0x300 net/socket.c:1245 sock_ioctl+0x576/0x790 net/socket.c:1366 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: cb2b0caa8ca93cbe39177516669bf699c74f7041 , < 50b7c7a255858a85c4636a1e990ca04591153dca (git)
Affected: 03f642caab84bbfd138e74f671bb436186ea7e82 , < d8143c54ceeba232dc8a13aa0afa14a44b371d93 (git)
Affected: 3e5b25da0b4109a3e063759735e6ec4236ea5a05 , < b8ad2d53f706aeea833d23d45c0758398fede580 (git)
Affected: f72514b3c5698e4b900b25345e09f9ed33123de6 , < bbf4a17ad9ffc4e3d7ec13d73ecd59dea149ed25 (git)
Affected: 61d88ea0f30c88e4ea98793594943aed8f1fc9ab (git)
Create a notification for this product.
    Linux Linux Affected: 6.6.120 , < 6.6.124 (semver)
Affected: 6.12.63 , < 6.12.70 (semver)
Affected: 6.18.2 , < 6.18.10 (semver)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/ip6_fib.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "50b7c7a255858a85c4636a1e990ca04591153dca",
              "status": "affected",
              "version": "cb2b0caa8ca93cbe39177516669bf699c74f7041",
              "versionType": "git"
            },
            {
              "lessThan": "d8143c54ceeba232dc8a13aa0afa14a44b371d93",
              "status": "affected",
              "version": "03f642caab84bbfd138e74f671bb436186ea7e82",
              "versionType": "git"
            },
            {
              "lessThan": "b8ad2d53f706aeea833d23d45c0758398fede580",
              "status": "affected",
              "version": "3e5b25da0b4109a3e063759735e6ec4236ea5a05",
              "versionType": "git"
            },
            {
              "lessThan": "bbf4a17ad9ffc4e3d7ec13d73ecd59dea149ed25",
              "status": "affected",
              "version": "f72514b3c5698e4b900b25345e09f9ed33123de6",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "61d88ea0f30c88e4ea98793594943aed8f1fc9ab",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/ip6_fib.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6.6.124",
              "status": "affected",
              "version": "6.6.120",
              "versionType": "semver"
            },
            {
              "lessThan": "6.12.70",
              "status": "affected",
              "version": "6.12.63",
              "versionType": "semver"
            },
            {
              "lessThan": "6.18.10",
              "status": "affected",
              "version": "6.18.2",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.124",
                  "versionStartIncluding": "6.6.120",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.70",
                  "versionStartIncluding": "6.12.63",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.10",
                  "versionStartIncluding": "6.18.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.17.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Fix ECMP sibling count mismatch when clearing RTF_ADDRCONF\n\nsyzbot reported a kernel BUG in fib6_add_rt2node() when adding an IPv6\nroute. [0]\n\nCommit f72514b3c569 (\"ipv6: clear RA flags when adding a static\nroute\") introduced logic to clear RTF_ADDRCONF from existing routes\nwhen a static route with the same nexthop is added. However, this\ncauses a problem when the existing route has a gateway.\n\nWhen RTF_ADDRCONF is cleared from a route that has a gateway, that\nroute becomes eligible for ECMP, i.e. rt6_qualify_for_ecmp() returns\ntrue. The issue is that this route was never added to the\nfib6_siblings list.\n\nThis leads to a mismatch between the following counts:\n\n- The sibling count computed by iterating fib6_next chain, which\n  includes the newly ECMP-eligible route\n\n- The actual siblings in fib6_siblings list, which does not include\n  that route\n\nWhen a subsequent ECMP route is added, fib6_add_rt2node() hits\nBUG_ON(sibling-\u003efib6_nsiblings != rt-\u003efib6_nsiblings) because the\ncounts don\u0027t match.\n\nFix this by only clearing RTF_ADDRCONF when the existing route does\nnot have a gateway. Routes without a gateway cannot qualify for ECMP\nanyway (rt6_qualify_for_ecmp() requires fib_nh_gw_family), so clearing\nRTF_ADDRCONF on them is safe and matches the original intent of the\ncommit.\n\n[0]:\nkernel BUG at net/ipv6/ip6_fib.c:1217!\nOops: invalid opcode: 0000 [#1] SMP KASAN PTI\nCPU: 0 UID: 0 PID: 6010 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025\nRIP: 0010:fib6_add_rt2node+0x3433/0x3470 net/ipv6/ip6_fib.c:1217\n[...]\nCall Trace:\n \u003cTASK\u003e\n fib6_add+0x8da/0x18a0 net/ipv6/ip6_fib.c:1532\n __ip6_ins_rt net/ipv6/route.c:1351 [inline]\n ip6_route_add+0xde/0x1b0 net/ipv6/route.c:3946\n ipv6_route_ioctl+0x35c/0x480 net/ipv6/route.c:4571\n inet6_ioctl+0x219/0x280 net/ipv6/af_inet6.c:577\n sock_do_ioctl+0xdc/0x300 net/socket.c:1245\n sock_ioctl+0x576/0x790 net/socket.c:1366\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:597 [inline]\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-14T16:27:25.025Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/50b7c7a255858a85c4636a1e990ca04591153dca"
        },
        {
          "url": "https://git.kernel.org/stable/c/d8143c54ceeba232dc8a13aa0afa14a44b371d93"
        },
        {
          "url": "https://git.kernel.org/stable/c/b8ad2d53f706aeea833d23d45c0758398fede580"
        },
        {
          "url": "https://git.kernel.org/stable/c/bbf4a17ad9ffc4e3d7ec13d73ecd59dea149ed25"
        }
      ],
      "title": "ipv6: Fix ECMP sibling count mismatch when clearing RTF_ADDRCONF",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23200",
    "datePublished": "2026-02-14T16:27:25.025Z",
    "dateReserved": "2026-01-13T15:37:45.986Z",
    "dateUpdated": "2026-02-14T16:27:25.025Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-23200\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-02-14T17:15:57.847\",\"lastModified\":\"2026-02-14T17:15:57.847\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nipv6: Fix ECMP sibling count mismatch when clearing RTF_ADDRCONF\\n\\nsyzbot reported a kernel BUG in fib6_add_rt2node() when adding an IPv6\\nroute. [0]\\n\\nCommit f72514b3c569 (\\\"ipv6: clear RA flags when adding a static\\nroute\\\") introduced logic to clear RTF_ADDRCONF from existing routes\\nwhen a static route with the same nexthop is added. However, this\\ncauses a problem when the existing route has a gateway.\\n\\nWhen RTF_ADDRCONF is cleared from a route that has a gateway, that\\nroute becomes eligible for ECMP, i.e. rt6_qualify_for_ecmp() returns\\ntrue. The issue is that this route was never added to the\\nfib6_siblings list.\\n\\nThis leads to a mismatch between the following counts:\\n\\n- The sibling count computed by iterating fib6_next chain, which\\n  includes the newly ECMP-eligible route\\n\\n- The actual siblings in fib6_siblings list, which does not include\\n  that route\\n\\nWhen a subsequent ECMP route is added, fib6_add_rt2node() hits\\nBUG_ON(sibling-\u003efib6_nsiblings != rt-\u003efib6_nsiblings) because the\\ncounts don\u0027t match.\\n\\nFix this by only clearing RTF_ADDRCONF when the existing route does\\nnot have a gateway. Routes without a gateway cannot qualify for ECMP\\nanyway (rt6_qualify_for_ecmp() requires fib_nh_gw_family), so clearing\\nRTF_ADDRCONF on them is safe and matches the original intent of the\\ncommit.\\n\\n[0]:\\nkernel BUG at net/ipv6/ip6_fib.c:1217!\\nOops: invalid opcode: 0000 [#1] SMP KASAN PTI\\nCPU: 0 UID: 0 PID: 6010 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025\\nRIP: 0010:fib6_add_rt2node+0x3433/0x3470 net/ipv6/ip6_fib.c:1217\\n[...]\\nCall Trace:\\n \u003cTASK\u003e\\n fib6_add+0x8da/0x18a0 net/ipv6/ip6_fib.c:1532\\n __ip6_ins_rt net/ipv6/route.c:1351 [inline]\\n ip6_route_add+0xde/0x1b0 net/ipv6/route.c:3946\\n ipv6_route_ioctl+0x35c/0x480 net/ipv6/route.c:4571\\n inet6_ioctl+0x219/0x280 net/ipv6/af_inet6.c:577\\n sock_do_ioctl+0xdc/0x300 net/socket.c:1245\\n sock_ioctl+0x576/0x790 net/socket.c:1366\\n vfs_ioctl fs/ioctl.c:51 [inline]\\n __do_sys_ioctl fs/ioctl.c:597 [inline]\\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583\\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\\n do_syscall_64+0xfa/0xf80 arch/x86/entry/syscall_64.c:94\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/50b7c7a255858a85c4636a1e990ca04591153dca\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/b8ad2d53f706aeea833d23d45c0758398fede580\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/bbf4a17ad9ffc4e3d7ec13d73ecd59dea149ed25\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d8143c54ceeba232dc8a13aa0afa14a44b371d93\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.