CVE-2026-23124
- Source
- https://cve.org/CVERecord?id=CVE-2026-23124
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23124.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-23124
- Downstream
- Published
- 2026-02-14T15:09:54.043Z
- Modified
- 2026-03-20T12:47:24.792466Z
- Summary
- ipv6: annotate data-race in ndisc_router_discovery()
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
ipv6: annotate data-race in ndiscrouterdiscovery()
syzbot found that ndiscrouterdiscovery() could read and write in6dev->ramtu without holding a lock [1]
This looks fine, IFLAINET6RA_MTU is best effort.
Add READONCE()/WRITEONCE() to document the race.
Note that we might also reject illegal MTU values (mtu < IPV6MINMTU || mtu > skb->dev->mtu) in a future patch.
[1] BUG: KCSAN: data-race in ndiscrouterdiscovery / ndiscrouterdiscovery
read to 0xffff888119809c20 of 4 bytes by task 25817 on cpu 1: ndiscrouterdiscovery+0x151d/0x1c90 net/ipv6/ndisc.c:1558 ndiscrcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841 icmpv6rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989 ip6protocoldeliverrcu+0xb2a/0x10d0 net/ipv6/ip6input.c:438 ip6inputfinish+0xf0/0x1d0 net/ipv6/ip6input.c:489 NFHOOK include/linux/netfilter.h:318 [inline] ip6input+0x5e/0x140 net/ipv6/ip6input.c:500 ip6mcinput+0x27c/0x470 net/ipv6/ip6input.c:590 dstinput include/net/dst.h:474 [inline] ip6rcvfinish+0x336/0x340 net/ipv6/ip6_input.c:79 ...
write to 0xffff888119809c20 of 4 bytes by task 25816 on cpu 0: ndiscrouterdiscovery+0x155a/0x1c90 net/ipv6/ndisc.c:1559 ndiscrcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841 icmpv6rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989 ip6protocoldeliverrcu+0xb2a/0x10d0 net/ipv6/ip6input.c:438 ip6inputfinish+0xf0/0x1d0 net/ipv6/ip6input.c:489 NFHOOK include/linux/netfilter.h:318 [inline] ip6input+0x5e/0x140 net/ipv6/ip6input.c:500 ip6mcinput+0x27c/0x470 net/ipv6/ip6input.c:590 dstinput include/net/dst.h:474 [inline] ip6rcvfinish+0x336/0x340 net/ipv6/ip6_input.c:79 ...
value changed: 0x00000000 -> 0xe5400659
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23124.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/stable/c/2619499169fb1c2ac4974b0f2d87767fb543582b
- https://git.kernel.org/stable/c/2a2b9d25f801afecf2f83cacce98afa8fd73e3c9
- https://git.kernel.org/stable/c/4630897eb1a039b5d7b737b8dc9521d9d4b568b5
- https://git.kernel.org/stable/c/9a063f96d87efc3a6cc667f8de096a3d38d74bb5
- https://git.kernel.org/stable/c/e3c1040252e598f7b4e33a42dc7c38519bc22428
- https://git.kernel.org/stable/c/fad8f4ff7928f4d52a062ffdcffa484989c79c47
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23124.json
- https://nvd.nist.gov/vuln/detail/CVE-2026-23124
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7Fixed4630897eb1a039b5d7b737b8dc9521d9d4b568b5Fixed2619499169fb1c2ac4974b0f2d87767fb543582bFixedfad8f4ff7928f4d52a062ffdcffa484989c79c47Fixed2a2b9d25f801afecf2f83cacce98afa8fd73e3c9Fixede3c1040252e598f7b4e33a42dc7c38519bc22428Fixed9a063f96d87efc3a6cc667f8de096a3d38d74bb5