CVE-2026-23124

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ipv6: annotate data-race in ndisc_router_discovery()<br /> <br /> syzbot found that ndisc_router_discovery() could read and write<br /> in6_dev-&gt;ra_mtu without holding a lock [1]<br /> <br /> This looks fine, IFLA_INET6_RA_MTU is best effort.<br /> <br /> Add READ_ONCE()/WRITE_ONCE() to document the race.<br /> <br /> Note that we might also reject illegal MTU values<br /> (mtu skb-&gt;dev-&gt;mtu) in a future patch.<br /> <br /> [1]<br /> BUG: KCSAN: data-race in ndisc_router_discovery / ndisc_router_discovery<br /> <br /> read to 0xffff888119809c20 of 4 bytes by task 25817 on cpu 1:<br /> ndisc_router_discovery+0x151d/0x1c90 net/ipv6/ndisc.c:1558<br /> ndisc_rcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841<br /> icmpv6_rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989<br /> ip6_protocol_deliver_rcu+0xb2a/0x10d0 net/ipv6/ip6_input.c:438<br /> ip6_input_finish+0xf0/0x1d0 net/ipv6/ip6_input.c:489<br /> NF_HOOK include/linux/netfilter.h:318 [inline]<br /> ip6_input+0x5e/0x140 net/ipv6/ip6_input.c:500<br /> ip6_mc_input+0x27c/0x470 net/ipv6/ip6_input.c:590<br /> dst_input include/net/dst.h:474 [inline]<br /> ip6_rcv_finish+0x336/0x340 net/ipv6/ip6_input.c:79<br /> ...<br /> <br /> write to 0xffff888119809c20 of 4 bytes by task 25816 on cpu 0:<br /> ndisc_router_discovery+0x155a/0x1c90 net/ipv6/ndisc.c:1559<br /> ndisc_rcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841<br /> icmpv6_rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989<br /> ip6_protocol_deliver_rcu+0xb2a/0x10d0 net/ipv6/ip6_input.c:438<br /> ip6_input_finish+0xf0/0x1d0 net/ipv6/ip6_input.c:489<br /> NF_HOOK include/linux/netfilter.h:318 [inline]<br /> ip6_input+0x5e/0x140 net/ipv6/ip6_input.c:500<br /> ip6_mc_input+0x27c/0x470 net/ipv6/ip6_input.c:590<br /> dst_input include/net/dst.h:474 [inline]<br /> ip6_rcv_finish+0x336/0x340 net/ipv6/ip6_input.c:79<br /> ...<br /> <br /> value changed: 0x00000000 -&gt; 0xe5400659