CVE-2026-23200 in Linux
Summary
by MITRE • 02/14/2026
In the Linux kernel, the following vulnerability has been resolved:
ipv6: Fix ECMP sibling count mismatch when clearing RTF_ADDRCONF
syzbot reported a kernel BUG in fib6_add_rt2node() when adding an IPv6 route. [0]
Commit f72514b3c569 ("ipv6: clear RA flags when adding a static route") introduced logic to clear RTF_ADDRCONF from existing routes when a static route with the same nexthop is added. However, this causes a problem when the existing route has a gateway.
When RTF_ADDRCONF is cleared from a route that has a gateway, that route becomes eligible for ECMP, i.e. rt6_qualify_for_ecmp() returns true. The issue is that this route was never added to the fib6_siblings list.
This leads to a mismatch between the following counts:
- The sibling count computed by iterating fib6_next chain, which includes the newly ECMP-eligible route
- The actual siblings in fib6_siblings list, which does not include that route
When a subsequent ECMP route is added, fib6_add_rt2node() hits BUG_ON(sibling->fib6_nsiblings != rt->fib6_nsiblings) because the counts don't match.
Fix this by only clearing RTF_ADDRCONF when the existing route does not have a gateway. Routes without a gateway cannot qualify for ECMP anyway (rt6_qualify_for_ecmp() requires fib_nh_gw_family), so clearing RTF_ADDRCONF on them is safe and matches the original intent of the commit.
[0]:
kernel BUG at net/ipv6/ip6_fib.c:1217! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 0 UID: 0 PID: 6010 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 RIP: 0010:fib6_add_rt2node+0x3433/0x3470 net/ipv6/ip6_fib.c:1217 [...]
Call Trace: <TASK> fib6_add+0x8da/0x18a0 net/ipv6/ip6_fib.c:1532 __ip6_ins_rt net/ipv6/route.c:1351 [inline]
ip6_route_add+0xde/0x1b0 net/ipv6/route.c:3946 ipv6_route_ioctl+0x35c/0x480 net/ipv6/route.c:4571 inet6_ioctl+0x219/0x280 net/ipv6/af_inet6.c:577 sock_do_ioctl+0xdc/0x300 net/socket.c:1245 sock_ioctl+0x576/0x790 net/socket.c:1366 vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 05/06/2026
The vulnerability described in CVE-2026-23200 resides within the Linux kernel's IPv6 routing implementation, specifically in the fib6_add_rt2node() function located in net/ipv6/ip6_fib.c. This issue manifests as a kernel BUG triggered by an inconsistency in the handling of ECMP (Equal Cost Multi-Path) route sibling counts during route addition operations. The root cause stems from a flawed logic introduced in commit f72514b3c569, which aimed to clear RTF_ADDRCONF flags from existing routes when static routes with identical nexthops are added. However, this change creates a mismatch between expected and actual sibling counts in the routing table structure.
The technical flaw occurs when a static route is added that matches an existing route with a gateway. The kernel clears the RTF_ADDRCONF flag from the existing route, making it eligible for ECMP consideration through the rt6_qualify_for_ecmp() function. This eligibility, however, does not align with the route's actual inclusion in the fib6_siblings list, which is maintained separately for ECMP operations. The function fib6_add_rt2node() performs a critical validation using BUG_ON(sibling->fib6_nsiblings != rt->fib6_nsiblings) to ensure consistency between sibling counts computed via the fib6_next chain and those actually stored in the fib6_siblings list. When this consistency check fails, the kernel panics with an invalid opcode error, indicating a critical system failure.
This vulnerability directly impacts network reliability and system stability, as it can cause kernel oops and system crashes when handling IPv6 routing operations involving static routes with matching nexthops. The operational impact extends beyond simple system crashes to potentially disrupt network connectivity, especially in environments relying on ECMP routing for load balancing and redundancy. The issue is particularly concerning in high-availability network infrastructures where routing table modifications are frequent and critical for maintaining network services. According to CWE classification, this vulnerability maps to CWE-129: Improper Validation of Array Index, as it involves incorrect handling of routing table sibling counts and array indexing operations. The ATT&CK framework categorizes this under T1489: Data Destruction, as the kernel panic can result in complete system service disruption, and T1566: Phishing, since network connectivity disruptions can affect legitimate network operations.
The mitigation strategy involves modifying the route flag clearing logic to only remove RTF_ADDRCONF when the existing route lacks a gateway. This approach ensures that routes with gateways remain excluded from ECMP considerations, maintaining consistency between the route eligibility criteria and their actual inclusion in ECMP sibling lists. The fix specifically addresses the root cause by preventing the scenario where a route becomes ECMP-eligible without being properly registered in the fib6_siblings list. This solution aligns with the original intent of the commit while preserving the intended behavior of static route handling. System administrators should apply kernel updates containing this fix immediately, particularly in production environments handling IPv6 routing, to prevent potential system crashes and maintain network reliability. The fix also reinforces proper state management in kernel networking subsystems and demonstrates the importance of maintaining consistency between different data structures when implementing complex routing logic.