CVE-2026-23124 in Linux
Summary
by MITRE • 02/14/2026
In the Linux kernel, the following vulnerability has been resolved:
ipv6: annotate data-race in ndisc_router_discovery()
syzbot found that ndisc_router_discovery() could read and write in6_dev->ra_mtu without holding a lock [1]
This looks fine, IFLA_INET6_RA_MTU is best effort.
Add READ_ONCE()/WRITE_ONCE() to document the race.
Note that we might also reject illegal MTU values (mtu < IPV6_MIN_MTU || mtu > skb->dev->mtu) in a future patch.
[1]
BUG: KCSAN: data-race in ndisc_router_discovery / ndisc_router_discovery
read to 0xffff888119809c20 of 4 bytes by task 25817 on cpu 1: ndisc_router_discovery+0x151d/0x1c90 net/ipv6/ndisc.c:1558 ndisc_rcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841 icmpv6_rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989 ip6_protocol_deliver_rcu+0xb2a/0x10d0 net/ipv6/ip6_input.c:438 ip6_input_finish+0xf0/0x1d0 net/ipv6/ip6_input.c:489 NF_HOOK include/linux/netfilter.h:318 [inline]
ip6_input+0x5e/0x140 net/ipv6/ip6_input.c:500 ip6_mc_input+0x27c/0x470 net/ipv6/ip6_input.c:590 dst_input include/net/dst.h:474 [inline]
ip6_rcv_finish+0x336/0x340 net/ipv6/ip6_input.c:79 ...
write to 0xffff888119809c20 of 4 bytes by task 25816 on cpu 0: ndisc_router_discovery+0x155a/0x1c90 net/ipv6/ndisc.c:1559 ndisc_rcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841 icmpv6_rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989 ip6_protocol_deliver_rcu+0xb2a/0x10d0 net/ipv6/ip6_input.c:438 ip6_input_finish+0xf0/0x1d0 net/ipv6/ip6_input.c:489 NF_HOOK include/linux/netfilter.h:318 [inline]
ip6_input+0x5e/0x140 net/ipv6/ip6_input.c:500 ip6_mc_input+0x27c/0x470 net/ipv6/ip6_input.c:590 dst_input include/net/dst.h:474 [inline]
ip6_rcv_finish+0x336/0x340 net/ipv6/ip6_input.c:79 ...
value changed: 0x00000000 -> 0xe5400659
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/06/2026
The vulnerability described in CVE-2026-23124 represents a data race condition within the Linux kernel's IPv6 neighbor discovery implementation, specifically in the ndisc_router_discovery function. This issue was identified through systematic testing by syzbot, which detected concurrent read and write operations on the ra_mtu field of the in6_dev structure without proper synchronization mechanisms. The race condition occurs when multiple kernel threads attempt to access the same memory location simultaneously, creating a potential for inconsistent data states and unpredictable behavior in network packet processing. The vulnerability manifests in the context of IPv6 router advertisement processing where the kernel receives and processes ICMPv6 router advertisement messages containing router advertisement options including the MTU value.
The technical flaw stems from the absence of proper locking mechanisms when accessing the ra_mtu field within the ndisc_router_discovery function. This field is part of the in6_dev structure that maintains IPv6 interface-specific configuration data, and its concurrent access without synchronization creates a classic race condition scenario. The kernel's network stack processes incoming ICMPv6 packets through multiple layers including icmpv6_rcv, ip6_protocol_deliver_rcu, and ip6_input functions before reaching the ndisc_router_discovery handler. The race condition is further evidenced by the KCSAN (Kernel Concurrency Sanitizer) detection showing two distinct tasks accessing the same memory address at different times, with one performing a read operation and another performing a write operation on the same 4-byte field.
The operational impact of this vulnerability extends beyond simple data inconsistency, potentially affecting network connectivity and packet forwarding behavior in IPv6 environments. When multiple router advertisements are processed concurrently, the race condition can result in incorrect MTU values being used for packet fragmentation decisions, which may lead to packet drops, fragmentation issues, or network performance degradation. The vulnerability specifically affects IPv6 neighbor discovery mechanisms that rely on router advertisements for network configuration information, making it particularly concerning for systems that depend heavily on IPv6 networking. This type of race condition could also serve as a potential vector for more sophisticated attacks if exploited in conjunction with other vulnerabilities, though the immediate impact is primarily related to data integrity and network reliability.
The fix implemented for this vulnerability involves adding READ_ONCE() and WRITE_ONCE() macros to properly document and handle the data race condition in the ndisc_router_discovery function. This approach acknowledges that the IFLA_INET6_RA_MTU configuration parameter is best effort and that concurrent access should be explicitly handled through kernel memory access primitives rather than relying on implicit synchronization. The solution aligns with established kernel development practices for handling race conditions and memory access patterns. Additionally, the kernel developers have indicated that future patches may include validation of MTU values to ensure they fall within acceptable ranges, specifically rejecting values below IPV6_MIN_MTU or exceeding the interface's maximum transmission unit. This vulnerability maps to CWE-367, which describes Time-of-Check to Time-of-Use (TOCTOU) race conditions, and could potentially align with ATT&CK technique T1059.006 for kernel-level privilege escalation if exploited in more complex attack scenarios. The fix represents a defensive programming approach that explicitly acknowledges the concurrent nature of the access pattern rather than attempting to eliminate it through more complex locking mechanisms.