{"id":"CVE-2026-23200","summary":"ipv6: Fix ECMP sibling count mismatch when clearing RTF_ADDRCONF","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Fix ECMP sibling count mismatch when clearing RTF_ADDRCONF\n\nsyzbot reported a kernel BUG in fib6_add_rt2node() when adding an IPv6\nroute. [0]\n\nCommit f72514b3c569 (\"ipv6: clear RA flags when adding a static\nroute\") introduced logic to clear RTF_ADDRCONF from existing routes\nwhen a static route with the same nexthop is added. However, this\ncauses a problem when the existing route has a gateway.\n\nWhen RTF_ADDRCONF is cleared from a route that has a gateway, that\nroute becomes eligible for ECMP, i.e. rt6_qualify_for_ecmp() returns\ntrue. The issue is that this route was never added to the\nfib6_siblings list.\n\nThis leads to a mismatch between the following counts:\n\n- The sibling count computed by iterating fib6_next chain, which\n  includes the newly ECMP-eligible route\n\n- The actual siblings in fib6_siblings list, which does not include\n  that route\n\nWhen a subsequent ECMP route is added, fib6_add_rt2node() hits\nBUG_ON(sibling-\u003efib6_nsiblings != rt-\u003efib6_nsiblings) because the\ncounts don't match.\n\nFix this by only clearing RTF_ADDRCONF when the existing route does\nnot have a gateway. Routes without a gateway cannot qualify for ECMP\nanyway (rt6_qualify_for_ecmp() requires fib_nh_gw_family), so clearing\nRTF_ADDRCONF on them is safe and matches the original intent of the\ncommit.\n\n[0]:\nkernel BUG at net/ipv6/ip6_fib.c:1217!\nOops: invalid opcode: 0000 [#1] SMP KASAN PTI\nCPU: 0 UID: 0 PID: 6010 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025\nRIP: 0010:fib6_add_rt2node+0x3433/0x3470 net/ipv6/ip6_fib.c:1217\n[...]\nCall Trace:\n \u003cTASK\u003e\n fib6_add+0x8da/0x18a0 net/ipv6/ip6_fib.c:1532\n __ip6_ins_rt net/ipv6/route.c:1351 [inline]\n ip6_route_add+0xde/0x1b0 net/ipv6/route.c:3946\n ipv6_route_ioctl+0x35c/0x480 net/ipv6/route.c:4571\n inet6_ioctl+0x219/0x280 net/ipv6/af_inet6.c:577\n sock_do_ioctl+0xdc/0x300 net/socket.c:1245\n sock_ioctl+0x576/0x790 net/socket.c:1366\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:597 [inline]\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f","modified":"2026-03-20T12:47:26.988809Z","published":"2026-02-14T16:27:25.025Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23200.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/50b7c7a255858a85c4636a1e990ca04591153dca"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b8ad2d53f706aeea833d23d45c0758398fede580"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bbf4a17ad9ffc4e3d7ec13d73ecd59dea149ed25"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d8143c54ceeba232dc8a13aa0afa14a44b371d93"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23200.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23200"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"cb2b0caa8ca93cbe39177516669bf699c74f7041"},{"fixed":"50b7c7a255858a85c4636a1e990ca04591153dca"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"03f642caab84bbfd138e74f671bb436186ea7e82"},{"fixed":"d8143c54ceeba232dc8a13aa0afa14a44b371d93"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"3e5b25da0b4109a3e063759735e6ec4236ea5a05"},{"fixed":"b8ad2d53f706aeea833d23d45c0758398fede580"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"f72514b3c5698e4b900b25345e09f9ed33123de6"},{"fixed":"bbf4a17ad9ffc4e3d7ec13d73ecd59dea149ed25"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"61d88ea0f30c88e4ea98793594943aed8f1fc9ab"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23200.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.6.120"},{"fixed":"6.6.124"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.12.63"},{"fixed":"6.12.70"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.18.2"},{"fixed":"6.18.10"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23200.json"}}],"schema_version":"1.7.5"}