CVE-2026-23316

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: ipv4: fix ARM64 alignment fault in multipath hash seed<br /> <br /> `struct sysctl_fib_multipath_hash_seed` contains two u32 fields<br /> (user_seed and mp_seed), making it an 8-byte structure with a 4-byte<br /> alignment requirement.<br /> <br /> In `fib_multipath_hash_from_keys()`, the code evaluates the entire<br /> struct atomically via `READ_ONCE()`:<br /> <br /> mp_seed = READ_ONCE(net-&gt;ipv4.sysctl_fib_multipath_hash_seed).mp_seed;<br /> <br /> While this silently works on GCC by falling back to unaligned regular<br /> loads which the ARM64 kernel tolerates, it causes a fatal kernel panic<br /> when compiled with Clang and LTO enabled.<br /> <br /> Commit e35123d83ee3 ("arm64: lto: Strengthen READ_ONCE() to acquire<br /> when CONFIG_LTO=y") strengthens `READ_ONCE()` to use Load-Acquire<br /> instructions (`ldar` / `ldapr`) to prevent compiler reordering bugs<br /> under Clang LTO. Since the macro evaluates the full 8-byte struct,<br /> Clang emits a 64-bit `ldar` instruction. ARM64 architecture strictly<br /> requires `ldar` to be naturally aligned, thus executing it on a 4-byte<br /> aligned address triggers a strict Alignment Fault (FSC = 0x21).<br /> <br /> Fix the read side by moving the `READ_ONCE()` directly to the `u32`<br /> member, which emits a safe 32-bit `ldar Wn`.<br /> <br /> Furthermore, Eric Dumazet pointed out that `WRITE_ONCE()` on the entire<br /> struct in `proc_fib_multipath_hash_set_seed()` is also flawed. Analysis<br /> shows that Clang splits this 8-byte write into two separate 32-bit<br /> `str` instructions. While this avoids an alignment fault, it destroys<br /> atomicity and exposes a tear-write vulnerability. Fix this by<br /> explicitly splitting the write into two 32-bit `WRITE_ONCE()`<br /> operations.<br /> <br /> Finally, add the missing `READ_ONCE()` when reading `user_seed` in<br /> `proc_fib_multipath_hash_seed()` to ensure proper pairing and<br /> concurrency safety.