DEBIAN-CVE-2026-23200

In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix ECMP sibling count mismatch when clearing RTFADDRCONF syzbot reported a kernel BUG in fib6addrt2node() when adding an IPv6 route. [0] Commit f72514b3c569 ("ipv6: clear RA flags when adding a static route") introduced logic to clear RTFADDRCONF from existing routes when a static route with the same nexthop is added. However, this causes a problem when the existing route has a gateway. When RTFADDRCONF is cleared from a route that has a gateway, that route becomes eligible for ECMP, i.e. rt6qualifyforecmp() returns true. The issue is that this route was never added to the fib6siblings list. This leads to a mismatch between the following counts: - The sibling count computed by iterating fib6next chain, which includes the newly ECMP-eligible route - The actual siblings in fib6siblings list, which does not include that route When a subsequent ECMP route is added, fib6addrt2node() hits BUGON(sibling->fib6nsiblings != rt->fib6nsiblings) because the counts don't match. Fix this by only clearing RTFADDRCONF when the existing route does not have a gateway. Routes without a gateway cannot qualify for ECMP anyway (rt6qualifyforecmp() requires fibnhgwfamily), so clearing RTFADDRCONF on them is safe and matches the original intent of the commit. [0]: kernel BUG at net/ipv6/ip6fib.c:1217! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 0 UID: 0 PID: 6010 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 RIP: 0010:fib6addrt2node+0x3433/0x3470 net/ipv6/ip6fib.c:1217 [...] Call Trace: <TASK> fib6add+0x8da/0x18a0 net/ipv6/ip6fib.c:1532 _ip6insrt net/ipv6/route.c:1351 [inline] ip6routeadd+0xde/0x1b0 net/ipv6/route.c:3946 ipv6routeioctl+0x35c/0x480 net/ipv6/route.c:4571 inet6ioctl+0x219/0x280 net/ipv6/afinet6.c:577 sockdoioctl+0xdc/0x300 net/socket.c:1245 sockioctl+0x576/0x790 net/socket.c:1366 vfsioctl fs/ioctl.c:51 [inline] _dosysioctl fs/ioctl.c:597 [inline] _sesysioctl+0xfc/0x170 fs/ioctl.c:583 dosyscallx64 arch/x86/entry/syscall64.c:63 [inline] dosyscall64+0xfa/0xf80 arch/x86/entry/syscall64.c:94 entrySYSCALL64after_hwframe+0x77/0x7f