{
  "threat_severity" : "Moderate",
  "public_date" : "2026-03-25T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: net: ipv4: fix ARM64 alignment fault in multipath hash seed",
    "id" : "2451258",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2451258"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-468",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnet: ipv4: fix ARM64 alignment fault in multipath hash seed\n`struct sysctl_fib_multipath_hash_seed` contains two u32 fields\n(user_seed and mp_seed), making it an 8-byte structure with a 4-byte\nalignment requirement.\nIn `fib_multipath_hash_from_keys()`, the code evaluates the entire\nstruct atomically via `READ_ONCE()`:\nmp_seed = READ_ONCE(net->ipv4.sysctl_fib_multipath_hash_seed).mp_seed;\nWhile this silently works on GCC by falling back to unaligned regular\nloads which the ARM64 kernel tolerates, it causes a fatal kernel panic\nwhen compiled with Clang and LTO enabled.\nCommit e35123d83ee3 (\"arm64: lto: Strengthen READ_ONCE() to acquire\nwhen CONFIG_LTO=y\") strengthens `READ_ONCE()` to use Load-Acquire\ninstructions (`ldar` / `ldapr`) to prevent compiler reordering bugs\nunder Clang LTO. Since the macro evaluates the full 8-byte struct,\nClang emits a 64-bit `ldar` instruction. ARM64 architecture strictly\nrequires `ldar` to be naturally aligned, thus executing it on a 4-byte\naligned address triggers a strict Alignment Fault (FSC = 0x21).\nFix the read side by moving the `READ_ONCE()` directly to the `u32`\nmember, which emits a safe 32-bit `ldar Wn`.\nFurthermore, Eric Dumazet pointed out that `WRITE_ONCE()` on the entire\nstruct in `proc_fib_multipath_hash_set_seed()` is also flawed. Analysis\nshows that Clang splits this 8-byte write into two separate 32-bit\n`str` instructions. While this avoids an alignment fault, it destroys\natomicity and exposes a tear-write vulnerability. Fix this by\nexplicitly splitting the write into two 32-bit `WRITE_ONCE()`\noperations.\nFinally, add the missing `READ_ONCE()` when reading `user_seed` in\n`proc_fib_multipath_hash_seed()` to ensure proper pairing and\nconcurrency safety.", "A flaw was found in the Linux kernel's handling of multipath hash seeds on ARM64 architectures. This vulnerability can lead to a system crash (kernel panic) when the kernel is compiled with specific optimizations, such as Clang with Link-Time Optimization (LTO), due to an alignment fault during memory access. Additionally, a separate issue exists where non-atomic updates to the hash seed can result in a tear-write vulnerability, potentially compromising data integrity. These issues could be triggered under specific conditions related to network multipath hashing." ],
  "statement" : "This flaw is specific to ARM64 systems running kernels compiled with Clang LTO. The alignment fault occurs when READ_ONCE() on a 4-byte aligned 8-byte structure causes a 64-bit Load-Acquire instruction to execute on a misaligned address. Additionally, the tear-write vulnerability affects atomicity of hash seed updates. Most enterprise deployments use GCC-compiled kernels where this specific issue does not manifest.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-23316\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23316\nhttps://lore.kernel.org/linux-cve-announce/2026032530-CVE-2026-23316-2ce3@gregkh/T" ],
  "name" : "CVE-2026-23316",
  "csaw" : false
}