{ "affected": [ { "ranges": [ { "events": [ { "introduced": "49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7" }, { "fixed": "4630897eb1a039b5d7b737b8dc9521d9d4b568b5" }, { "fixed": "2619499169fb1c2ac4974b0f2d87767fb543582b" }, { "fixed": "fad8f4ff7928f4d52a062ffdcffa484989c79c47" }, { "fixed": "2a2b9d25f801afecf2f83cacce98afa8fd73e3c9" }, { "fixed": "e3c1040252e598f7b4e33a42dc7c38519bc22428" }, { "fixed": "9a063f96d87efc3a6cc667f8de096a3d38d74bb5" } ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "type": "GIT" } ] } ], "database_specific": { "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23124.json" }, "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: annotate data-race in ndisc_router_discovery()\n\nsyzbot found that ndisc_router_discovery() could read and write\nin6_dev-\u003era_mtu without holding a lock [1]\n\nThis looks fine, IFLA_INET6_RA_MTU is best effort.\n\nAdd READ_ONCE()/WRITE_ONCE() to document the race.\n\nNote that we might also reject illegal MTU values\n(mtu \u003c IPV6_MIN_MTU || mtu \u003e skb-\u003edev-\u003emtu) in a future patch.\n\n[1]\nBUG: KCSAN: data-race in ndisc_router_discovery / ndisc_router_discovery\n\nread to 0xffff888119809c20 of 4 bytes by task 25817 on cpu 1:\n ndisc_router_discovery+0x151d/0x1c90 net/ipv6/ndisc.c:1558\n ndisc_rcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841\n icmpv6_rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989\n ip6_protocol_deliver_rcu+0xb2a/0x10d0 net/ipv6/ip6_input.c:438\n ip6_input_finish+0xf0/0x1d0 net/ipv6/ip6_input.c:489\n NF_HOOK include/linux/netfilter.h:318 [inline]\n ip6_input+0x5e/0x140 net/ipv6/ip6_input.c:500\n ip6_mc_input+0x27c/0x470 net/ipv6/ip6_input.c:590\n dst_input include/net/dst.h:474 [inline]\n ip6_rcv_finish+0x336/0x340 net/ipv6/ip6_input.c:79\n...\n\nwrite to 0xffff888119809c20 of 4 bytes by task 25816 on cpu 0:\n ndisc_router_discovery+0x155a/0x1c90 net/ipv6/ndisc.c:1559\n ndisc_rcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841\n icmpv6_rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989\n ip6_protocol_deliver_rcu+0xb2a/0x10d0 net/ipv6/ip6_input.c:438\n ip6_input_finish+0xf0/0x1d0 net/ipv6/ip6_input.c:489\n NF_HOOK include/linux/netfilter.h:318 [inline]\n ip6_input+0x5e/0x140 net/ipv6/ip6_input.c:500\n ip6_mc_input+0x27c/0x470 net/ipv6/ip6_input.c:590\n dst_input include/net/dst.h:474 [inline]\n ip6_rcv_finish+0x336/0x340 net/ipv6/ip6_input.c:79\n...\n\nvalue changed: 0x00000000 -\u003e 0xe5400659", "id": "CVE-2026-23124", "modified": "2026-04-01T23:08:24.278659566Z", "published": "2026-02-14T15:09:54.043Z", "references": [ { "type": "WEB", "url": "https://git.kernel.org/stable/c/2619499169fb1c2ac4974b0f2d87767fb543582b" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/2a2b9d25f801afecf2f83cacce98afa8fd73e3c9" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/4630897eb1a039b5d7b737b8dc9521d9d4b568b5" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/9a063f96d87efc3a6cc667f8de096a3d38d74bb5" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/e3c1040252e598f7b4e33a42dc7c38519bc22428" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/fad8f4ff7928f4d52a062ffdcffa484989c79c47" }, { "type": "ADVISORY", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23124.json" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23124" }, { "type": "PACKAGE", "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git" } ], "schema_version": "1.7.3", "summary": "ipv6: annotate data-race in ndisc_router_discovery()" }