CVE-2026-23004

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list()<br /> <br /> syzbot was able to crash the kernel in rt6_uncached_list_flush_dev()<br /> in an interesting way [1]<br /> <br /> Crash happens in list_del_init()/INIT_LIST_HEAD() while writing<br /> list-&gt;prev, while the prior write on list-&gt;next went well.<br /> <br /> static inline void INIT_LIST_HEAD(struct list_head *list)<br /> {<br /> WRITE_ONCE(list-&gt;next, list); // This went well<br /> WRITE_ONCE(list-&gt;prev, list); // Crash, @list has been freed.<br /> }<br /> <br /> Issue here is that rt6_uncached_list_del() did not attempt to lock<br /> ul-&gt;lock, as list_empty(&amp;rt-&gt;dst.rt_uncached) returned<br /> true because the WRITE_ONCE(list-&gt;next, list) happened on the other CPU.<br /> <br /> We might use list_del_init_careful() and list_empty_careful(),<br /> or make sure rt6_uncached_list_del() always grabs the spinlock<br /> whenever rt-&gt;dst.rt_uncached_list has been set.<br /> <br /> A similar fix is neeed for IPv4.<br /> <br /> [1]<br /> <br /> BUG: KASAN: slab-use-after-free in INIT_LIST_HEAD include/linux/list.h:46 [inline]<br /> BUG: KASAN: slab-use-after-free in list_del_init include/linux/list.h:296 [inline]<br /> BUG: KASAN: slab-use-after-free in rt6_uncached_list_flush_dev net/ipv6/route.c:191 [inline]<br /> BUG: KASAN: slab-use-after-free in rt6_disable_ip+0x633/0x730 net/ipv6/route.c:5020<br /> Write of size 8 at addr ffff8880294cfa78 by task kworker/u8:14/3450<br /> <br /> CPU: 0 UID: 0 PID: 3450 Comm: kworker/u8:14 Tainted: G L syzkaller #0 PREEMPT_{RT,(full)}<br /> Tainted: [L]=SOFTLOCKUP<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025<br /> Workqueue: netns cleanup_net<br /> Call Trace:<br /> <br /> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120<br /> print_address_description mm/kasan/report.c:378 [inline]<br /> print_report+0xca/0x240 mm/kasan/report.c:482<br /> kasan_report+0x118/0x150 mm/kasan/report.c:595<br /> INIT_LIST_HEAD include/linux/list.h:46 [inline]<br /> list_del_init include/linux/list.h:296 [inline]<br /> rt6_uncached_list_flush_dev net/ipv6/route.c:191 [inline]<br /> rt6_disable_ip+0x633/0x730 net/ipv6/route.c:5020<br /> addrconf_ifdown+0x143/0x18a0 net/ipv6/addrconf.c:3853<br /> addrconf_notify+0x1bc/0x1050 net/ipv6/addrconf.c:-1<br /> notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85<br /> call_netdevice_notifiers_extack net/core/dev.c:2268 [inline]<br /> call_netdevice_notifiers net/core/dev.c:2282 [inline]<br /> netif_close_many+0x29c/0x410 net/core/dev.c:1785<br /> unregister_netdevice_many_notify+0xb50/0x2330 net/core/dev.c:12353<br /> ops_exit_rtnl_list net/core/net_namespace.c:187 [inline]<br /> ops_undo_list+0x3dc/0x990 net/core/net_namespace.c:248<br /> cleanup_net+0x4de/0x7b0 net/core/net_namespace.c:696<br /> process_one_work kernel/workqueue.c:3257 [inline]<br /> process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340<br /> worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421<br /> kthread+0x711/0x8a0 kernel/kthread.c:463<br /> ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158<br /> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246<br /> <br /> <br /> Allocated by task 803:<br /> kasan_save_stack mm/kasan/common.c:57 [inline]<br /> kasan_save_track+0x3e/0x80 mm/kasan/common.c:78<br /> unpoison_slab_object mm/kasan/common.c:340 [inline]<br /> __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366<br /> kasan_slab_alloc include/linux/kasan.h:253 [inline]<br /> slab_post_alloc_hook mm/slub.c:4953 [inline]<br /> slab_alloc_node mm/slub.c:5263 [inline]<br /> kmem_cache_alloc_noprof+0x18d/0x6c0 mm/slub.c:5270<br /> dst_alloc+0x105/0x170 net/core/dst.c:89<br /> ip6_dst_alloc net/ipv6/route.c:342 [inline]<br /> icmp6_dst_alloc+0x75/0x460 net/ipv6/route.c:3333<br /> mld_sendpack+0x683/0xe60 net/ipv6/mcast.c:1844<br /> mld_send_cr net/ipv6/mcast.c:2154 [inline]<br /> mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693<br /> process_one_work kernel/workqueue.c:3257 [inline]<br /> process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340<br /> worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421<br /> kthread+0x711/0x8a0 kernel/kthread.c:463<br /> ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158<br /> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entr<br /> ---truncated---