CVE-2026-23300
Analyzed Analyzed - Analysis Complete
Null Pointer Dereference in Linux IPv6 Nexthop Causes Kernel Panic

Publication date: 2026-03-25

Last updated on: 2026-05-28

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop When a standalone IPv6 nexthop object is created with a loopback device (e.g., "ip -6 nexthop add id 100 dev lo"), fib6_nh_init() misclassifies it as a reject route. This is because nexthop objects have no destination prefix (fc_dst=::), causing fib6_is_reject() to match any loopback nexthop. The reject path skips fib_nh_common_init(), leaving nhc_pcpu_rth_output unallocated. If an IPv4 route later references this nexthop, __mkroute_output() dereferences NULL nhc_pcpu_rth_output and panics. Simplify the check in fib6_nh_init() to only match explicit reject routes (RTF_REJECT) instead of using fib6_is_reject(). The loopback promotion heuristic in fib6_is_reject() is handled separately by ip6_route_info_create_nh(). After this change, the three cases behave as follows: 1. Explicit reject route ("ip -6 route add unreachable 2001:db8::/64"): RTF_REJECT is set, enters reject path, skips fib_nh_common_init(). No behavior change. 2. Implicit loopback reject route ("ip -6 route add 2001:db8::/32 dev lo"): RTF_REJECT is not set, takes normal path, fib_nh_common_init() is called. ip6_route_info_create_nh() still promotes it to reject afterward. nhc_pcpu_rth_output is allocated but unused, which is harmless. 3. Standalone nexthop object ("ip -6 nexthop add id 100 dev lo"): RTF_REJECT is not set, takes normal path, fib_nh_common_init() is called. nhc_pcpu_rth_output is properly allocated, fixing the crash when IPv4 routes reference this nexthop.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-05-28
Generated
2026-06-16
AI Q&A
2026-03-25
EPSS Evaluated
2026-06-14
NVD
CVE-2026-23300
EUVD
EUVD-2026-15235
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.19 (inc) to 6.19.7 (exc)
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.17 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.130 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.77 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.167 (exc)
linux linux_kernel From 5.3 (inc) to 5.10.253 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability involves the creation of standalone IPv6 nexthop objects with a loopback device that can cause a kernel panic when referenced by IPv4 routes.

To detect if your system is affected, you can check for the presence of such IPv6 nexthop objects referencing the loopback device.

Suggested commands to inspect nexthop objects and routes include:

  • ip -6 nexthop show
  • ip -6 nexthop list
  • ip -6 route show
  • ip route show

Specifically, look for nexthop entries created with the loopback device (e.g., 'dev lo') and verify if any IPv4 routes reference these nexthops, which could trigger the panic.

Mitigation Strategies

The vulnerability is resolved by a kernel patch that changes the way IPv6 nexthop objects referencing the loopback device are handled, preventing kernel panic.

Immediate mitigation steps include:

  • Update your Linux kernel to a version that includes the fix for this vulnerability.
  • Avoid creating standalone IPv6 nexthop objects with the loopback device until the fix is applied.
  • Review and audit your IPv4 and IPv6 routing configurations to ensure no IPv4 routes reference such problematic nexthops.
Executive Summary

This vulnerability occurs in the Linux kernel's networking code related to IPv6 nexthop objects. When a standalone IPv6 nexthop is created using a loopback device, the kernel misclassifies it as a reject route due to how it checks the nexthop's destination prefix. This misclassification causes the kernel to skip an important initialization step, leaving a critical pointer unallocated (NULL). Later, if an IPv4 route references this nexthop, the kernel dereferences this NULL pointer, causing a system panic (crash).

The fix simplifies the check to only consider explicit reject routes, ensuring proper initialization for standalone nexthop objects and preventing the panic.

Impact Analysis

This vulnerability can cause the Linux kernel to panic (crash) when certain IPv4 routes reference a misclassified IPv6 nexthop object. This can lead to system instability or downtime, potentially disrupting network services and operations on affected systems.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23300. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart