{"id":"CVE-2026-23124","summary":"ipv6: annotate data-race in ndisc_router_discovery()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: annotate data-race in ndisc_router_discovery()\n\nsyzbot found that ndisc_router_discovery() could read and write\nin6_dev-\u003era_mtu without holding a lock [1]\n\nThis looks fine, IFLA_INET6_RA_MTU is best effort.\n\nAdd READ_ONCE()/WRITE_ONCE() to document the race.\n\nNote that we might also reject illegal MTU values\n(mtu \u003c IPV6_MIN_MTU || mtu \u003e skb-\u003edev-\u003emtu) in a future patch.\n\n[1]\nBUG: KCSAN: data-race in ndisc_router_discovery / ndisc_router_discovery\n\nread to 0xffff888119809c20 of 4 bytes by task 25817 on cpu 1:\n  ndisc_router_discovery+0x151d/0x1c90 net/ipv6/ndisc.c:1558\n  ndisc_rcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841\n  icmpv6_rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989\n  ip6_protocol_deliver_rcu+0xb2a/0x10d0 net/ipv6/ip6_input.c:438\n  ip6_input_finish+0xf0/0x1d0 net/ipv6/ip6_input.c:489\n  NF_HOOK include/linux/netfilter.h:318 [inline]\n  ip6_input+0x5e/0x140 net/ipv6/ip6_input.c:500\n  ip6_mc_input+0x27c/0x470 net/ipv6/ip6_input.c:590\n  dst_input include/net/dst.h:474 [inline]\n  ip6_rcv_finish+0x336/0x340 net/ipv6/ip6_input.c:79\n...\n\nwrite to 0xffff888119809c20 of 4 bytes by task 25816 on cpu 0:\n  ndisc_router_discovery+0x155a/0x1c90 net/ipv6/ndisc.c:1559\n  ndisc_rcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841\n  icmpv6_rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989\n  ip6_protocol_deliver_rcu+0xb2a/0x10d0 net/ipv6/ip6_input.c:438\n  ip6_input_finish+0xf0/0x1d0 net/ipv6/ip6_input.c:489\n  NF_HOOK include/linux/netfilter.h:318 [inline]\n  ip6_input+0x5e/0x140 net/ipv6/ip6_input.c:500\n  ip6_mc_input+0x27c/0x470 net/ipv6/ip6_input.c:590\n  dst_input include/net/dst.h:474 [inline]\n  ip6_rcv_finish+0x336/0x340 net/ipv6/ip6_input.c:79\n...\n\nvalue changed: 0x00000000 -\u003e 0xe5400659","modified":"2026-05-18T05:59:43.761789531Z","published":"2026-02-14T15:09:54.043Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23124.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/2619499169fb1c2ac4974b0f2d87767fb543582b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/2a2b9d25f801afecf2f83cacce98afa8fd73e3c9"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4630897eb1a039b5d7b737b8dc9521d9d4b568b5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9a063f96d87efc3a6cc667f8de096a3d38d74bb5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e3c1040252e598f7b4e33a42dc7c38519bc22428"},{"type":"WEB","url":"https://git.kernel.org/stable/c/fad8f4ff7928f4d52a062ffdcffa484989c79c47"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23124.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23124"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7"},{"fixed":"4630897eb1a039b5d7b737b8dc9521d9d4b568b5"},{"fixed":"2619499169fb1c2ac4974b0f2d87767fb543582b"},{"fixed":"fad8f4ff7928f4d52a062ffdcffa484989c79c47"},{"fixed":"2a2b9d25f801afecf2f83cacce98afa8fd73e3c9"},{"fixed":"e3c1040252e598f7b4e33a42dc7c38519bc22428"},{"fixed":"9a063f96d87efc3a6cc667f8de096a3d38d74bb5"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23124.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.15.0"},{"fixed":"5.15.199"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.162"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.122"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.68"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.8"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23124.json"}}],"schema_version":"1.7.5"}