CVE-2026-23200
📋 TL;DR
A Linux kernel vulnerability in IPv6 routing causes a kernel panic when adding ECMP routes after clearing RTF_ADDRCONF flags from gateway routes. This affects Linux systems using IPv6 routing with ECMP capabilities. The vulnerability can lead to denial of service through kernel crashes.
💻 Affected Systems
- Linux Kernel
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash and complete denial of service, requiring physical or remote console access to reboot the system.
Likely Case
System crash when specific IPv6 routing operations are performed, causing temporary service disruption until system reboot.
If Mitigated
No impact if IPv6 routing with ECMP is not used or if the vulnerable code path is not triggered.
🎯 Exploit Status
Requires CAP_NET_ADMIN privileges to manipulate routing tables. Discovered through syzkaller fuzzing, indicating potential for automated exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in kernel commits: 50b7c7a25585, b8ad2d53f706, bbf4a17ad9ff, d8143c54ceeb
Vendor Advisory: https://git.kernel.org/stable/c/50b7c7a255858a85c4636a1e990ca04591153dca
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix commits. 2. Check with your distribution for backported patches. 3. Reboot system to load new kernel.
🔧 Temporary Workarounds
Disable IPv6 ECMP
linuxPrevent ECMP route additions that trigger the vulnerability
sysctl -w net.ipv6.fib_multipath=0
Restrict routing table modifications
linuxLimit CAP_NET_ADMIN capabilities to prevent unauthorized route changes
Review and restrict users/groups with CAP_NET_ADMIN capability
🧯 If You Can't Patch
- Monitor for kernel panic logs related to fib6_add_rt2node()
- Implement strict change control for IPv6 routing configuration
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if it contains vulnerable commit f72514b3c569 without the fix commitsCheck Version:
uname -rVerify Fix Applied:
Verify kernel version includes fix commits: 50b7c7a25585, b8ad2d53f706, bbf4a17ad9ff, or d8143c54ceeb📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages containing 'fib6_add_rt2node'
- BUG at net/ipv6/ip6_fib.c:1217
- Invalid opcode errors during route operations
Network Indicators:
- Sudden loss of IPv6 connectivity after routing changes
- Increased routing protocol errors
SIEM Query:
event_source="kernel" AND (message CONTAINS "fib6_add_rt2node" OR message CONTAINS "ip6_fib.c:1217" OR message CONTAINS "Oops: invalid opcode")