CVE-2026-23200
Unknown Unknown - Not Provided
ECMP Count Mismatch Bug in Linux Kernel IPv6 Routing

Publication date: 2026-02-14

Last updated on: 2026-03-19

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix ECMP sibling count mismatch when clearing RTF_ADDRCONF syzbot reported a kernel BUG in fib6_add_rt2node() when adding an IPv6 route. [0] Commit f72514b3c569 ("ipv6: clear RA flags when adding a static route") introduced logic to clear RTF_ADDRCONF from existing routes when a static route with the same nexthop is added. However, this causes a problem when the existing route has a gateway. When RTF_ADDRCONF is cleared from a route that has a gateway, that route becomes eligible for ECMP, i.e. rt6_qualify_for_ecmp() returns true. The issue is that this route was never added to the fib6_siblings list. This leads to a mismatch between the following counts: - The sibling count computed by iterating fib6_next chain, which includes the newly ECMP-eligible route - The actual siblings in fib6_siblings list, which does not include that route When a subsequent ECMP route is added, fib6_add_rt2node() hits BUG_ON(sibling->fib6_nsiblings != rt->fib6_nsiblings) because the counts don't match. Fix this by only clearing RTF_ADDRCONF when the existing route does not have a gateway. Routes without a gateway cannot qualify for ECMP anyway (rt6_qualify_for_ecmp() requires fib_nh_gw_family), so clearing RTF_ADDRCONF on them is safe and matches the original intent of the commit. [0]: kernel BUG at net/ipv6/ip6_fib.c:1217! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 0 UID: 0 PID: 6010 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 RIP: 0010:fib6_add_rt2node+0x3433/0x3470 net/ipv6/ip6_fib.c:1217 [...] Call Trace: <TASK> fib6_add+0x8da/0x18a0 net/ipv6/ip6_fib.c:1532 __ip6_ins_rt net/ipv6/route.c:1351 [inline] ip6_route_add+0xde/0x1b0 net/ipv6/route.c:3946 ipv6_route_ioctl+0x35c/0x480 net/ipv6/route.c:4571 inet6_ioctl+0x219/0x280 net/ipv6/af_inet6.c:577 sock_do_ioctl+0xdc/0x300 net/socket.c:1245 sock_ioctl+0x576/0x790 net/socket.c:1366 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-14
Last Modified
2026-03-19
Generated
2026-05-07
AI Q&A
2026-02-14
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23200
EUVD
EUVD-2026-5845
Affected Vendors & Products
Showing 12 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel From 6.17.13 (inc) to 6.18 (exc)
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel From 6.12.63 (inc) to 6.12.70 (exc)
linux linux_kernel From 6.18.2 (inc) to 6.18.10 (exc)
linux linux_kernel From 6.6.120 (inc) to 6.6.124 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's IPv6 routing code. It occurs due to a logic error introduced when clearing the RTF_ADDRCONF flag from existing routes while adding a static route with the same nexthop. Specifically, if the existing route has a gateway, clearing this flag makes the route eligible for Equal-Cost Multi-Path (ECMP) routing, but the route is not properly added to the internal sibling list that tracks ECMP routes.

This mismatch between the sibling count and the actual siblings in the list causes a kernel BUG in the function fib6_add_rt2node() when a subsequent ECMP route is added, leading to a crash or instability.

The fix involves only clearing the RTF_ADDRCONF flag when the existing route does not have a gateway, which prevents the mismatch and maintains proper ECMP route tracking.


How can this vulnerability impact me? :

This vulnerability can cause the Linux kernel to hit a BUG condition and crash or become unstable when managing IPv6 routes involving ECMP. This can lead to system crashes or denial of service, impacting the availability and reliability of systems running vulnerable kernel versions.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability manifests as a kernel BUG in the function fib6_add_rt2node() when adding an IPv6 route, which can cause system crashes or kernel oops messages.

To detect this issue, monitor your system logs (e.g., dmesg or /var/log/kern.log) for kernel BUG messages related to fib6_add_rt2node or IPv6 routing errors.

You can use the following command to check kernel logs for relevant errors:

  • dmesg | grep -i 'fib6_add_rt2node\|BUG\|ipv6'

Additionally, checking for kernel oops or panic messages related to IPv6 routing in system logs can help identify if the vulnerability is triggered.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed by a kernel patch that changes the logic to only clear the RTF_ADDRCONF flag when the existing route does not have a gateway.

Immediate mitigation steps include:

  • Update your Linux kernel to a version that includes the fix for this vulnerability.
  • Avoid adding static IPv6 routes that could trigger the bug until the kernel is patched.
  • Monitor system stability and kernel logs for any signs of the bug to prevent unexpected crashes.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart