{ "threat_severity" : "Moderate", "public_date" : "2026-01-25T00:00:00Z", "bugzilla" : { "description" : "kernel: dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list()", "id" : "2432662", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2432662" }, "cvss3" : { "cvss3_base_score" : "4.7", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "draft" }, "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ndst: fix races in rt6_uncached_list_del() and rt_del_uncached_list()\nsyzbot was able to crash the kernel in rt6_uncached_list_flush_dev()\nin an interesting way [1]\nCrash happens in list_del_init()/INIT_LIST_HEAD() while writing\nlist->prev, while the prior write on list->next went well.\nstatic inline void INIT_LIST_HEAD(struct list_head *list)\n{\nWRITE_ONCE(list->next, list); // This went well\nWRITE_ONCE(list->prev, list); // Crash, @list has been freed.\n}\nIssue here is that rt6_uncached_list_del() did not attempt to lock\nul->lock, as list_empty(&rt->dst.rt_uncached) returned\ntrue because the WRITE_ONCE(list->next, list) happened on the other CPU.\nWe might use list_del_init_careful() and list_empty_careful(),\nor make sure rt6_uncached_list_del() always grabs the spinlock\nwhenever rt->dst.rt_uncached_list has been set.\nA similar fix is neeed for IPv4.\n[1]\nBUG: KASAN: slab-use-after-free in INIT_LIST_HEAD include/linux/list.h:46 [inline]\nBUG: KASAN: slab-use-after-free in list_del_init include/linux/list.h:296 [inline]\nBUG: KASAN: slab-use-after-free in rt6_uncached_list_flush_dev net/ipv6/route.c:191 [inline]\nBUG: KASAN: slab-use-after-free in rt6_disable_ip+0x633/0x730 net/ipv6/route.c:5020\nWrite of size 8 at addr ffff8880294cfa78 by task kworker/u8:14/3450\nCPU: 0 UID: 0 PID: 3450 Comm: kworker/u8:14 Tainted: G L syzkaller #0 PREEMPT_{RT,(full)}\nTainted: [L]=SOFTLOCKUP\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025\nWorkqueue: netns cleanup_net\nCall Trace:\n\ndump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120\nprint_address_description mm/kasan/report.c:378 [inline]\nprint_report+0xca/0x240 mm/kasan/report.c:482\nkasan_report+0x118/0x150 mm/kasan/report.c:595\nINIT_LIST_HEAD include/linux/list.h:46 [inline]\nlist_del_init include/linux/list.h:296 [inline]\nrt6_uncached_list_flush_dev net/ipv6/route.c:191 [inline]\nrt6_disable_ip+0x633/0x730 net/ipv6/route.c:5020\naddrconf_ifdown+0x143/0x18a0 net/ipv6/addrconf.c:3853\naddrconf_notify+0x1bc/0x1050 net/ipv6/addrconf.c:-1\nnotifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85\ncall_netdevice_notifiers_extack net/core/dev.c:2268 [inline]\ncall_netdevice_notifiers net/core/dev.c:2282 [inline]\nnetif_close_many+0x29c/0x410 net/core/dev.c:1785\nunregister_netdevice_many_notify+0xb50/0x2330 net/core/dev.c:12353\nops_exit_rtnl_list net/core/net_namespace.c:187 [inline]\nops_undo_list+0x3dc/0x990 net/core/net_namespace.c:248\ncleanup_net+0x4de/0x7b0 net/core/net_namespace.c:696\nprocess_one_work kernel/workqueue.c:3257 [inline]\nprocess_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340\nworker_thread+0x8a0/0xda0 kernel/workqueue.c:3421\nkthread+0x711/0x8a0 kernel/kthread.c:463\nret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158\nret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246\n\nAllocated by task 803:\nkasan_save_stack mm/kasan/common.c:57 [inline]\nkasan_save_track+0x3e/0x80 mm/kasan/common.c:78\nunpoison_slab_object mm/kasan/common.c:340 [inline]\n__kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366\nkasan_slab_alloc include/linux/kasan.h:253 [inline]\nslab_post_alloc_hook mm/slub.c:4953 [inline]\nslab_alloc_node mm/slub.c:5263 [inline]\nkmem_cache_alloc_noprof+0x18d/0x6c0 mm/slub.c:5270\ndst_alloc+0x105/0x170 net/core/dst.c:89\nip6_dst_alloc net/ipv6/route.c:342 [inline]\nicmp6_dst_alloc+0x75/0x460 net/ipv6/route.c:3333\nmld_sendpack+0x683/0xe60 net/ipv6/mcast.c:1844\nmld_send_cr net/ipv6/mcast.c:2154 [inline]\nmld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693\nprocess_one_work kernel/workqueue.c:3257 [inline]\nprocess_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340\nworker_thread+0x8a0/0xda0 kernel/workqueue.c:3421\nkthread+0x711/0x8a0 kernel/kthread.c:463\nret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158\nret_from_fork_asm+0x1a/0x30 arch/x86/entry/entr\n---truncated---" ], "statement" : "A race in IPv6/IPv4 uncached route list deletion can lead to a use-after-free when one CPU observes a transient \"empty list\" state and skips locking, while another CPU is concurrently deleting/initializing the list head. This results in writes to a freed dst_entry list_head (KASAN UAF), typically reachable via local network namespace / device teardown paths.", "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-23004\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23004\nhttps://lore.kernel.org/linux-cve-announce/2026012535-CVE-2026-23004-205e@gregkh/T" ], "name" : "CVE-2026-23004", "csaw" : false }