CVE-2026-23004 (GCVE-0-2026-23004)

Vulnerability from cvelistv5 – Published: 2026-01-25 14:36 – Updated: 2026-01-25 14:36
VLAI?
Title
dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list()
Summary
In the Linux kernel, the following vulnerability has been resolved: dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list() syzbot was able to crash the kernel in rt6_uncached_list_flush_dev() in an interesting way [1] Crash happens in list_del_init()/INIT_LIST_HEAD() while writing list->prev, while the prior write on list->next went well. static inline void INIT_LIST_HEAD(struct list_head *list) { WRITE_ONCE(list->next, list); // This went well WRITE_ONCE(list->prev, list); // Crash, @list has been freed. } Issue here is that rt6_uncached_list_del() did not attempt to lock ul->lock, as list_empty(&rt->dst.rt_uncached) returned true because the WRITE_ONCE(list->next, list) happened on the other CPU. We might use list_del_init_careful() and list_empty_careful(), or make sure rt6_uncached_list_del() always grabs the spinlock whenever rt->dst.rt_uncached_list has been set. A similar fix is neeed for IPv4. [1] BUG: KASAN: slab-use-after-free in INIT_LIST_HEAD include/linux/list.h:46 [inline] BUG: KASAN: slab-use-after-free in list_del_init include/linux/list.h:296 [inline] BUG: KASAN: slab-use-after-free in rt6_uncached_list_flush_dev net/ipv6/route.c:191 [inline] BUG: KASAN: slab-use-after-free in rt6_disable_ip+0x633/0x730 net/ipv6/route.c:5020 Write of size 8 at addr ffff8880294cfa78 by task kworker/u8:14/3450 CPU: 0 UID: 0 PID: 3450 Comm: kworker/u8:14 Tainted: G L syzkaller #0 PREEMPT_{RT,(full)} Tainted: [L]=SOFTLOCKUP Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Workqueue: netns cleanup_net Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 INIT_LIST_HEAD include/linux/list.h:46 [inline] list_del_init include/linux/list.h:296 [inline] rt6_uncached_list_flush_dev net/ipv6/route.c:191 [inline] rt6_disable_ip+0x633/0x730 net/ipv6/route.c:5020 addrconf_ifdown+0x143/0x18a0 net/ipv6/addrconf.c:3853 addrconf_notify+0x1bc/0x1050 net/ipv6/addrconf.c:-1 notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85 call_netdevice_notifiers_extack net/core/dev.c:2268 [inline] call_netdevice_notifiers net/core/dev.c:2282 [inline] netif_close_many+0x29c/0x410 net/core/dev.c:1785 unregister_netdevice_many_notify+0xb50/0x2330 net/core/dev.c:12353 ops_exit_rtnl_list net/core/net_namespace.c:187 [inline] ops_undo_list+0x3dc/0x990 net/core/net_namespace.c:248 cleanup_net+0x4de/0x7b0 net/core/net_namespace.c:696 process_one_work kernel/workqueue.c:3257 [inline] process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 </TASK> Allocated by task 803: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 unpoison_slab_object mm/kasan/common.c:340 [inline] __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4953 [inline] slab_alloc_node mm/slub.c:5263 [inline] kmem_cache_alloc_noprof+0x18d/0x6c0 mm/slub.c:5270 dst_alloc+0x105/0x170 net/core/dst.c:89 ip6_dst_alloc net/ipv6/route.c:342 [inline] icmp6_dst_alloc+0x75/0x460 net/ipv6/route.c:3333 mld_sendpack+0x683/0xe60 net/ipv6/mcast.c:1844 mld_send_cr net/ipv6/mcast.c:2154 [inline] mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693 process_one_work kernel/workqueue.c:3257 [inline] process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entr ---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 78df76a065ae3b5dbcb9a29912adc02f697de498 , < 722de945216144af7cd4d39bdeb936108d2595a7 (git)
Affected: 78df76a065ae3b5dbcb9a29912adc02f697de498 , < 9a6f0c4d5796ab89b5a28a890ce542344d58bd69 (git)
Create a notification for this product.
    Linux Linux Affected: 3.6
Unaffected: 0 , < 3.6 (semver)
Unaffected: 6.18.7 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc6 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/core/dst.c",
            "net/ipv4/route.c",
            "net/ipv6/route.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "722de945216144af7cd4d39bdeb936108d2595a7",
              "status": "affected",
              "version": "78df76a065ae3b5dbcb9a29912adc02f697de498",
              "versionType": "git"
            },
            {
              "lessThan": "9a6f0c4d5796ab89b5a28a890ce542344d58bd69",
              "status": "affected",
              "version": "78df76a065ae3b5dbcb9a29912adc02f697de498",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/core/dst.c",
            "net/ipv4/route.c",
            "net/ipv6/route.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.6"
            },
            {
              "lessThan": "3.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc6",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.7",
                  "versionStartIncluding": "3.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc6",
                  "versionStartIncluding": "3.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndst: fix races in rt6_uncached_list_del() and rt_del_uncached_list()\n\nsyzbot was able to crash the kernel in rt6_uncached_list_flush_dev()\nin an interesting way [1]\n\nCrash happens in list_del_init()/INIT_LIST_HEAD() while writing\nlist-\u003eprev, while the prior write on list-\u003enext went well.\n\nstatic inline void INIT_LIST_HEAD(struct list_head *list)\n{\n\tWRITE_ONCE(list-\u003enext, list); // This went well\n\tWRITE_ONCE(list-\u003eprev, list); // Crash, @list has been freed.\n}\n\nIssue here is that rt6_uncached_list_del() did not attempt to lock\nul-\u003elock, as list_empty(\u0026rt-\u003edst.rt_uncached) returned\ntrue because the WRITE_ONCE(list-\u003enext, list) happened on the other CPU.\n\nWe might use list_del_init_careful() and list_empty_careful(),\nor make sure rt6_uncached_list_del() always grabs the spinlock\nwhenever rt-\u003edst.rt_uncached_list has been set.\n\nA similar fix is neeed for IPv4.\n\n[1]\n\n BUG: KASAN: slab-use-after-free in INIT_LIST_HEAD include/linux/list.h:46 [inline]\n BUG: KASAN: slab-use-after-free in list_del_init include/linux/list.h:296 [inline]\n BUG: KASAN: slab-use-after-free in rt6_uncached_list_flush_dev net/ipv6/route.c:191 [inline]\n BUG: KASAN: slab-use-after-free in rt6_disable_ip+0x633/0x730 net/ipv6/route.c:5020\nWrite of size 8 at addr ffff8880294cfa78 by task kworker/u8:14/3450\n\nCPU: 0 UID: 0 PID: 3450 Comm: kworker/u8:14 Tainted: G             L      syzkaller #0 PREEMPT_{RT,(full)}\nTainted: [L]=SOFTLOCKUP\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025\nWorkqueue: netns cleanup_net\nCall Trace:\n \u003cTASK\u003e\n  dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120\n  print_address_description mm/kasan/report.c:378 [inline]\n  print_report+0xca/0x240 mm/kasan/report.c:482\n  kasan_report+0x118/0x150 mm/kasan/report.c:595\n  INIT_LIST_HEAD include/linux/list.h:46 [inline]\n  list_del_init include/linux/list.h:296 [inline]\n  rt6_uncached_list_flush_dev net/ipv6/route.c:191 [inline]\n  rt6_disable_ip+0x633/0x730 net/ipv6/route.c:5020\n  addrconf_ifdown+0x143/0x18a0 net/ipv6/addrconf.c:3853\n addrconf_notify+0x1bc/0x1050 net/ipv6/addrconf.c:-1\n  notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85\n  call_netdevice_notifiers_extack net/core/dev.c:2268 [inline]\n  call_netdevice_notifiers net/core/dev.c:2282 [inline]\n  netif_close_many+0x29c/0x410 net/core/dev.c:1785\n  unregister_netdevice_many_notify+0xb50/0x2330 net/core/dev.c:12353\n  ops_exit_rtnl_list net/core/net_namespace.c:187 [inline]\n  ops_undo_list+0x3dc/0x990 net/core/net_namespace.c:248\n  cleanup_net+0x4de/0x7b0 net/core/net_namespace.c:696\n  process_one_work kernel/workqueue.c:3257 [inline]\n  process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340\n  worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421\n  kthread+0x711/0x8a0 kernel/kthread.c:463\n  ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158\n  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246\n \u003c/TASK\u003e\n\nAllocated by task 803:\n  kasan_save_stack mm/kasan/common.c:57 [inline]\n  kasan_save_track+0x3e/0x80 mm/kasan/common.c:78\n  unpoison_slab_object mm/kasan/common.c:340 [inline]\n  __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366\n  kasan_slab_alloc include/linux/kasan.h:253 [inline]\n  slab_post_alloc_hook mm/slub.c:4953 [inline]\n  slab_alloc_node mm/slub.c:5263 [inline]\n  kmem_cache_alloc_noprof+0x18d/0x6c0 mm/slub.c:5270\n  dst_alloc+0x105/0x170 net/core/dst.c:89\n  ip6_dst_alloc net/ipv6/route.c:342 [inline]\n  icmp6_dst_alloc+0x75/0x460 net/ipv6/route.c:3333\n  mld_sendpack+0x683/0xe60 net/ipv6/mcast.c:1844\n  mld_send_cr net/ipv6/mcast.c:2154 [inline]\n  mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693\n  process_one_work kernel/workqueue.c:3257 [inline]\n  process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340\n  worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421\n  kthread+0x711/0x8a0 kernel/kthread.c:463\n  ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158\n  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entr\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-25T14:36:18.233Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/722de945216144af7cd4d39bdeb936108d2595a7"
        },
        {
          "url": "https://git.kernel.org/stable/c/9a6f0c4d5796ab89b5a28a890ce542344d58bd69"
        }
      ],
      "title": "dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23004",
    "datePublished": "2026-01-25T14:36:18.233Z",
    "dateReserved": "2026-01-13T15:37:45.939Z",
    "dateUpdated": "2026-01-25T14:36:18.233Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-23004\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-01-25T15:15:55.273\",\"lastModified\":\"2026-01-26T15:03:33.357\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndst: fix races in rt6_uncached_list_del() and rt_del_uncached_list()\\n\\nsyzbot was able to crash the kernel in rt6_uncached_list_flush_dev()\\nin an interesting way [1]\\n\\nCrash happens in list_del_init()/INIT_LIST_HEAD() while writing\\nlist-\u003eprev, while the prior write on list-\u003enext went well.\\n\\nstatic inline void INIT_LIST_HEAD(struct list_head *list)\\n{\\n\\tWRITE_ONCE(list-\u003enext, list); // This went well\\n\\tWRITE_ONCE(list-\u003eprev, list); // Crash, @list has been freed.\\n}\\n\\nIssue here is that rt6_uncached_list_del() did not attempt to lock\\nul-\u003elock, as list_empty(\u0026rt-\u003edst.rt_uncached) returned\\ntrue because the WRITE_ONCE(list-\u003enext, list) happened on the other CPU.\\n\\nWe might use list_del_init_careful() and list_empty_careful(),\\nor make sure rt6_uncached_list_del() always grabs the spinlock\\nwhenever rt-\u003edst.rt_uncached_list has been set.\\n\\nA similar fix is neeed for IPv4.\\n\\n[1]\\n\\n BUG: KASAN: slab-use-after-free in INIT_LIST_HEAD include/linux/list.h:46 [inline]\\n BUG: KASAN: slab-use-after-free in list_del_init include/linux/list.h:296 [inline]\\n BUG: KASAN: slab-use-after-free in rt6_uncached_list_flush_dev net/ipv6/route.c:191 [inline]\\n BUG: KASAN: slab-use-after-free in rt6_disable_ip+0x633/0x730 net/ipv6/route.c:5020\\nWrite of size 8 at addr ffff8880294cfa78 by task kworker/u8:14/3450\\n\\nCPU: 0 UID: 0 PID: 3450 Comm: kworker/u8:14 Tainted: G             L      syzkaller #0 PREEMPT_{RT,(full)}\\nTainted: [L]=SOFTLOCKUP\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025\\nWorkqueue: netns cleanup_net\\nCall Trace:\\n \u003cTASK\u003e\\n  dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120\\n  print_address_description mm/kasan/report.c:378 [inline]\\n  print_report+0xca/0x240 mm/kasan/report.c:482\\n  kasan_report+0x118/0x150 mm/kasan/report.c:595\\n  INIT_LIST_HEAD include/linux/list.h:46 [inline]\\n  list_del_init include/linux/list.h:296 [inline]\\n  rt6_uncached_list_flush_dev net/ipv6/route.c:191 [inline]\\n  rt6_disable_ip+0x633/0x730 net/ipv6/route.c:5020\\n  addrconf_ifdown+0x143/0x18a0 net/ipv6/addrconf.c:3853\\n addrconf_notify+0x1bc/0x1050 net/ipv6/addrconf.c:-1\\n  notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85\\n  call_netdevice_notifiers_extack net/core/dev.c:2268 [inline]\\n  call_netdevice_notifiers net/core/dev.c:2282 [inline]\\n  netif_close_many+0x29c/0x410 net/core/dev.c:1785\\n  unregister_netdevice_many_notify+0xb50/0x2330 net/core/dev.c:12353\\n  ops_exit_rtnl_list net/core/net_namespace.c:187 [inline]\\n  ops_undo_list+0x3dc/0x990 net/core/net_namespace.c:248\\n  cleanup_net+0x4de/0x7b0 net/core/net_namespace.c:696\\n  process_one_work kernel/workqueue.c:3257 [inline]\\n  process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340\\n  worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421\\n  kthread+0x711/0x8a0 kernel/kthread.c:463\\n  ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158\\n  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246\\n \u003c/TASK\u003e\\n\\nAllocated by task 803:\\n  kasan_save_stack mm/kasan/common.c:57 [inline]\\n  kasan_save_track+0x3e/0x80 mm/kasan/common.c:78\\n  unpoison_slab_object mm/kasan/common.c:340 [inline]\\n  __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366\\n  kasan_slab_alloc include/linux/kasan.h:253 [inline]\\n  slab_post_alloc_hook mm/slub.c:4953 [inline]\\n  slab_alloc_node mm/slub.c:5263 [inline]\\n  kmem_cache_alloc_noprof+0x18d/0x6c0 mm/slub.c:5270\\n  dst_alloc+0x105/0x170 net/core/dst.c:89\\n  ip6_dst_alloc net/ipv6/route.c:342 [inline]\\n  icmp6_dst_alloc+0x75/0x460 net/ipv6/route.c:3333\\n  mld_sendpack+0x683/0xe60 net/ipv6/mcast.c:1844\\n  mld_send_cr net/ipv6/mcast.c:2154 [inline]\\n  mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693\\n  process_one_work kernel/workqueue.c:3257 [inline]\\n  process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340\\n  worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421\\n  kthread+0x711/0x8a0 kernel/kthread.c:463\\n  ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158\\n  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entr\\n---truncated---\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/722de945216144af7cd4d39bdeb936108d2595a7\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9a6f0c4d5796ab89b5a28a890ce542344d58bd69\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.