Linux Kernel up to 6.18.7 ipv6 ndisc_router_discovery race condition

| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 4.9 | $0-$5k | 0.00 |
Summary
A vulnerability categorized as critical has been discovered in Linux Kernel up to 5.15.198/6.1.161/6.6.121/6.12.67/6.18.7. Affected by this vulnerability is the function ndisc_router_discovery of the component ipv6. Executing a manipulation can lead to race condition.
This vulnerability is registered as CVE-2026-23124. No exploit is available.
It is advisable to upgrade the affected component.
Details
A vulnerability classified as critical was found in Linux Kernel up to 5.15.198/6.1.161/6.6.121/6.12.67/6.18.7. This vulnerability affects the function ndisc_router_discovery of the component ipv6. The manipulation with an unknown input leads to a race condition vulnerability. The CWE definition for the vulnerability is CWE-362. The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently. The impact remains unknown. CVE summarizes:
In the Linux kernel, the following vulnerability has been resolved: ipv6: annotate data-race in ndisc_router_discovery() syzbot found that ndisc_router_discovery() could read and write in6_dev->ra_mtu without holding a lock [1] This looks fine, IFLA_INET6_RA_MTU is best effort. Add READ_ONCE()/WRITE_ONCE() to document the race. Note that we might also reject illegal MTU values (mtu < IPV6_MIN_MTU || mtu > skb->dev->mtu) in a future patch. [1] BUG: KCSAN: data-race in ndisc_router_discovery / ndisc_router_discovery read to 0xffff888119809c20 of 4 bytes by task 25817 on cpu 1: ndisc_router_discovery+0x151d/0x1c90 net/ipv6/ndisc.c:1558 ndisc_rcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841 icmpv6_rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989 ip6_protocol_deliver_rcu+0xb2a/0x10d0 net/ipv6/ip6_input.c:438 ip6_input_finish+0xf0/0x1d0 net/ipv6/ip6_input.c:489 NF_HOOK include/linux/netfilter.h:318 [inline] ip6_input+0x5e/0x140 net/ipv6/ip6_input.c:500 ip6_mc_input+0x27c/0x470 net/ipv6/ip6_input.c:590 dst_input include/net/dst.h:474 [inline] ip6_rcv_finish+0x336/0x340 net/ipv6/ip6_input.c:79 ... write to 0xffff888119809c20 of 4 bytes by task 25816 on cpu 0: ndisc_router_discovery+0x155a/0x1c90 net/ipv6/ndisc.c:1559 ndisc_rcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841 icmpv6_rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989 ip6_protocol_deliver_rcu+0xb2a/0x10d0 net/ipv6/ip6_input.c:438 ip6_input_finish+0xf0/0x1d0 net/ipv6/ip6_input.c:489 NF_HOOK include/linux/netfilter.h:318 [inline] ip6_input+0x5e/0x140 net/ipv6/ip6_input.c:500 ip6_mc_input+0x27c/0x470 net/ipv6/ip6_input.c:590 dst_input include/net/dst.h:474 [inline] ip6_rcv_finish+0x336/0x340 net/ipv6/ip6_input.c:79 ... value changed: 0x00000000 -> 0xe5400659
The advisory is shared for download at git.kernel.org. This vulnerability was named CVE-2026-23124 since 01/13/2026. The exploitation appears to be difficult. There are known technical details, but no exploit is available.
The vulnerability scanner Nessus provides a plugin with the ID 299168 (Linux Distros Unpatched Vulnerability : CVE-2026-23124), which helps to determine the existence of the flaw in a target environment.
Upgrading to version 5.15.199, 6.1.162, 6.6.122, 6.12.68 or 6.18.8 eliminates this vulnerability. Applying the patch 4630897eb1a039b5d7b737b8dc9521d9d4b568b5/2619499169fb1c2ac4974b0f2d87767fb543582b/fad8f4ff7928f4d52a062ffdcffa484989c79c47/2a2b9d25f801afecf2f83cacce98afa8fd73e3c9/e3c1040252e598f7b4e33a42dc7c38519bc22428/9a063f96d87efc3a6cc667f8de096a3d38d74bb5 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.
The vulnerability is also documented in the databases at Tenable (299168) and CERT Bund (WID-SEC-2026-0421). Once again VulDB remains the best source for vulnerability data.
Affected
- Google Container-Optimized OS
- Debian Linux
- Google Cloud Platform
- Amazon Linux 2
- Red Hat Enterprise Linux
- Ubuntu Linux
- SUSE Linux
- Oracle Linux
- SUSE openSUSE
- RESF Rocky Linux
- Open Source Linux Kernel
- IBM QRadar SIEM
Product
Type
Vendor
Name
Version
- 5.15.198
- 6.1.161
- 6.6.121
- 6.12.0
- 6.12.1
- 6.12.2
- 6.12.3
- 6.12.4
- 6.12.5
- 6.12.6
- 6.12.7
- 6.12.8
- 6.12.9
- 6.12.10
- 6.12.11
- 6.12.12
- 6.12.13
- 6.12.14
- 6.12.15
- 6.12.16
- 6.12.17
- 6.12.18
- 6.12.19
- 6.12.20
- 6.12.21
- 6.12.22
- 6.12.23
- 6.12.24
- 6.12.25
- 6.12.26
- 6.12.27
- 6.12.28
- 6.12.29
- 6.12.30
- 6.12.31
- 6.12.32
- 6.12.33
- 6.12.34
- 6.12.35
- 6.12.36
- 6.12.37
- 6.12.38
- 6.12.39
- 6.12.40
- 6.12.41
- 6.12.42
- 6.12.43
- 6.12.44
- 6.12.45
- 6.12.46
- 6.12.47
- 6.12.48
- 6.12.49
- 6.12.50
- 6.12.51
- 6.12.52
- 6.12.53
- 6.12.54
- 6.12.55
- 6.12.56
- 6.12.57
- 6.12.58
- 6.12.59
- 6.12.60
- 6.12.61
- 6.12.62
- 6.12.63
- 6.12.64
- 6.12.65
- 6.12.66
- 6.12.67
- 6.18.0
- 6.18.1
- 6.18.2
- 6.18.3
- 6.18.4
- 6.18.5
- 6.18.6
- 6.18.7
License
Website
- Vendor: https://www.kernel.org/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔒VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 5.0VulDB Meta Temp Score: 4.9
VulDB Base Score: 4.6
VulDB Temp Score: 4.4
VulDB Vector: 🔒
VulDB Reliability: 🔍
NVD Base Score: 5.5
NVD Vector: 🔒
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍
Exploiting
Class: Race conditionCWE: CWE-362
CAPEC: 🔒
ATT&CK: 🔒
Physical: Partially
Local: Yes
Remote: Partially
Availability: 🔒
Status: Not defined
EPSS Score: 🔒
EPSS Percentile: 🔒
Price Prediction: 🔍
Current Price Estimation: 🔒
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 299168
Nessus Name: Linux Distros Unpatched Vulnerability : CVE-2026-23124
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔒
Upgrade: Kernel 5.15.199/6.1.162/6.6.122/6.12.68/6.18.8
Patch: 4630897eb1a039b5d7b737b8dc9521d9d4b568b5/2619499169fb1c2ac4974b0f2d87767fb543582b/fad8f4ff7928f4d52a062ffdcffa484989c79c47/2a2b9d25f801afecf2f83cacce98afa8fd73e3c9/e3c1040252e598f7b4e33a42dc7c38519bc22428/9a063f96d87efc3a6cc667f8de096a3d38d74bb5
Timeline
01/13/2026 CVE reserved02/14/2026 Advisory disclosed
02/14/2026 VulDB entry created
05/06/2026 VulDB entry last update
Sources
Vendor: kernel.orgAdvisory: git.kernel.org
Status: Confirmed
CVE: CVE-2026-23124 (🔒)
GCVE (CVE): GCVE-0-2026-23124
GCVE (VulDB): GCVE-100-346060
CERT Bund: WID-SEC-2026-0421 - Linux Kernel: Mehrere Schwachstellen
Entry
Created: 02/14/2026 18:10Updated: 05/06/2026 08:08
Changes: 02/14/2026 18:10 (59), 02/14/2026 19:23 (1), 02/17/2026 00:26 (2), 02/19/2026 06:32 (1), 03/19/2026 02:47 (11), 05/06/2026 08:08 (7)
Complete: 🔍
Cache ID: 216::103
Once again VulDB remains the best source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.