nexthop: fix IPv6 route referencing IPv4 nexthop

Summary

CVECVE-2026-53012
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-06-24 17:17:12 UTC
Updated2026-07-10 19:24:19 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: nexthop: fix IPv6 route referencing IPv4 nexthop syzbot reported a panic [1] [2]. When an IPv6 nexthop is replaced with an IPv4 nexthop, the has_v4 flag of all groups containing this nexthop is not updated. This is because nh_group_v4_update is only called when replacing AF_INET to AF_INET6, but the reverse direction (AF_INET6 to AF_INET) is missed. This allows a stale has_v4=false to bypass fib6_check_nexthop, causing IPv6 routes to be attached to groups that effectively contain only AF_INET members. Subsequent route lookups then call nexthop_fib6_nh() which returns NULL for the AF_INET member, leading to a NULL pointer dereference. Fix by calling nh_group_v4_update whenever the family changes, not just AF_INET to AF_INET6. Reproducer: # AF_INET6 blackhole ip -6 nexthop add id 1 blackhole # group with has_v4=false ip nexthop add id 100 group 1 # replace with AF_INET (no -6), has_v4 stays false ip nexthop replace id 1 blackhole # pass stale has_v4 check ip -6 route add 2001:db8::/64 nhid 100 # panic ping -6 2001:db8::1 [1] https://syzkaller.appspot.com/bug?id=e17283eb2f8dcf3dd9b47fe6f67a95f71faadad0 [2] https://syzkaller.appspot.com/bug?id=8699b6ae54c9f35837d925686208402949e12ef3

Risk And Classification

EPSS: 0.001850000 probability, percentile 0.082780000 (date 2026-07-12)

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected 7bf4796dd09984ad1612877a82d0d139c70ae27f ceffe81a0be92afc0cd1340bc8ca46559cce9bb4 git Not specified
CNA Linux Linux affected 7bf4796dd09984ad1612877a82d0d139c70ae27f 9c2d6770a5f4545a307eb66979bef7656a34d621 git Not specified
CNA Linux Linux affected 7bf4796dd09984ad1612877a82d0d139c70ae27f 6275796f22bb382f3e9aa58ed0b4ef7bdad78cb8 git Not specified
CNA Linux Linux affected 7bf4796dd09984ad1612877a82d0d139c70ae27f aaac3bed034239e1d75732211d9b05f30b0b4f35 git Not specified
CNA Linux Linux affected 7bf4796dd09984ad1612877a82d0d139c70ae27f ad85961004fd4bd2f31209ac4b07612c6cefb9e7 git Not specified
CNA Linux Linux affected 7bf4796dd09984ad1612877a82d0d139c70ae27f 613c8f4a501421dd258b07ea614205d4e16ec845 git Not specified
CNA Linux Linux affected 7bf4796dd09984ad1612877a82d0d139c70ae27f b3b7e850e1541f0520c4a12ec884255c30427ff6 git Not specified
CNA Linux Linux affected 7bf4796dd09984ad1612877a82d0d139c70ae27f 29c95185ba32b621fbc3800fb86e7dc3edf5c2be git Not specified
CNA Linux Linux affected 5.3 Not specified
CNA Linux Linux unaffected 5.3 semver Not specified
CNA Linux Linux unaffected 5.10.258 5.10.* semver Not specified
CNA Linux Linux unaffected 5.15.209 5.15.* semver Not specified
CNA Linux Linux unaffected 6.1.175 6.1.* semver Not specified
CNA Linux Linux unaffected 6.6.141 6.6.* semver Not specified
CNA Linux Linux unaffected 6.12.91 6.12.* semver Not specified
CNA Linux Linux unaffected 6.18.33 6.18.* semver Not specified
CNA Linux Linux unaffected 7.0.10 7.0.* semver Not specified
CNA Linux Linux unaffected 7.1 * original_commit_for_fix Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/29c95185ba32b621fbc3800fb86e7dc3edf5c2be 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/aaac3bed034239e1d75732211d9b05f30b0b4f35 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/b3b7e850e1541f0520c4a12ec884255c30427ff6 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/9c2d6770a5f4545a307eb66979bef7656a34d621 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/613c8f4a501421dd258b07ea614205d4e16ec845 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/ceffe81a0be92afc0cd1340bc8ca46559cce9bb4 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/ad85961004fd4bd2f31209ac4b07612c6cefb9e7 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/6275796f22bb382f3e9aa58ed0b4ef7bdad78cb8 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report