{"id":75810,"date":"2026-01-25T18:45:55","date_gmt":"2026-01-25T15:15:55","guid":{"rendered":"https:\/\/afaghhosting.net\/blog\/cve-2026-23010-ipv6-fix-use-after-free-in-inet6_addr_del\/"},"modified":"2026-01-25T18:45:55","modified_gmt":"2026-01-25T15:15:55","slug":"cve-2026-23010-ipv6-fix-use-after-free-in-inet6_addr_del","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cve-2026-23010-ipv6-fix-use-after-free-in-inet6_addr_del\/","title":{"rendered":"CVE-2026-23010 &#8211; ipv6: Fix use-after-free in inet6_addr_del()."},"content":{"rendered":"<p>CVE ID : CVE-2026-23010<\/p>\n<p>Published :  Jan. 25, 2026, 3:15 p.m. | 1\u00a0hour, 46\u00a0minutes ago<\/p>\n<p>Description : In the Linux kernel, the following vulnerability has been resolved:<\/p>\n<p>ipv6: Fix use-after-free in inet6_addr_del().<\/p>\n<p>syzbot reported use-after-free of inet6_ifaddr in<br \/>\ninet6_addr_del(). [0]\n<p>The cited commit accidentally moved ipv6_del_addr() for<br \/>\nmngtmpaddr before reading its ifp-&gt;flags for temporary<br \/>\naddresses in inet6_addr_del().<\/p>\n<p>Let&#8217;s move ipv6_del_addr() down to fix the UAF.<\/p>\n[0]:<br \/>\nBUG: KASAN: slab-use-after-free in inet6_addr_del.constprop.0+0x67a\/0x6b0 net\/ipv6\/addrconf.c:3117<br \/>\nRead of size 4 at addr ffff88807b89c86c by task syz.3.1618\/9593<\/p>\n<p>CPU: 0 UID: 0 PID: 9593 Comm: syz.3.1618 Not tainted syzkaller #0 PREEMPT(full)<br \/>\nHardware name: Google Google Compute Engine\/Google Compute Engine, BIOS Google 10\/25\/2025<br \/>\nCall Trace:<\/p>\n<p> __dump_stack lib\/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116\/0x1f0 lib\/dump_stack.c:120<br \/>\n print_address_description mm\/kasan\/report.c:378 [inline]\n print_report+0xcd\/0x630 mm\/kasan\/report.c:482<br \/>\n kasan_report+0xe0\/0x110 mm\/kasan\/report.c:595<br \/>\n inet6_addr_del.constprop.0+0x67a\/0x6b0 net\/ipv6\/addrconf.c:3117<br \/>\n addrconf_del_ifaddr+0x11e\/0x190 net\/ipv6\/addrconf.c:3181<br \/>\n inet6_ioctl+0x1e5\/0x2b0 net\/ipv6\/af_inet6.c:582<br \/>\n sock_do_ioctl+0x118\/0x280 net\/socket.c:1254<br \/>\n sock_ioctl+0x227\/0x6b0 net\/socket.c:1375<br \/>\n vfs_ioctl fs\/ioctl.c:51 [inline]\n __do_sys_ioctl fs\/ioctl.c:597 [inline]\n __se_sys_ioctl fs\/ioctl.c:583 [inline]\n __x64_sys_ioctl+0x18e\/0x210 fs\/ioctl.c:583<br \/>\n do_syscall_x64 arch\/x86\/entry\/syscall_64.c:63 [inline]\n do_syscall_64+0xcd\/0xf80 arch\/x86\/entry\/syscall_64.c:94<br \/>\n entry_SYSCALL_64_after_hwframe+0x77\/0x7f<br \/>\nRIP: 0033:0x7f164cf8f749<br \/>\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05  3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48<br \/>\nRSP: 002b:00007f164de64038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010<br \/>\nRAX: ffffffffffffffda RBX: 00007f164d1e5fa0 RCX: 00007f164cf8f749<br \/>\nRDX: 0000200000000000 RSI: 0000000000008936 RDI: 0000000000000003<br \/>\nRBP: 00007f164d013f91 R08: 0000000000000000 R09: 0000000000000000<br \/>\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000<br \/>\nR13: 00007f164d1e6038 R14: 00007f164d1e5fa0 R15: 00007ffde15c8288<\/p>\n<p>Allocated by task 9593:<br \/>\n kasan_save_stack+0x33\/0x60 mm\/kasan\/common.c:56<br \/>\n kasan_save_track+0x14\/0x30 mm\/kasan\/common.c:77<br \/>\n poison_kmalloc_redzone mm\/kasan\/common.c:397 [inline]\n __kasan_kmalloc+0xaa\/0xb0 mm\/kasan\/common.c:414<br \/>\n kmalloc_noprof include\/linux\/slab.h:957 [inline]\n kzalloc_noprof include\/linux\/slab.h:1094 [inline]\n ipv6_add_addr+0x4e3\/0x2010 net\/ipv6\/addrconf.c:1120<br \/>\n inet6_addr_add+0x256\/0x9b0 net\/ipv6\/addrconf.c:3050<br \/>\n addrconf_add_ifaddr+0x1fc\/0x450 net\/ipv6\/addrconf.c:3160<br \/>\n inet6_ioctl+0x103\/0x2b0 net\/ipv6\/af_inet6.c:580<br \/>\n sock_do_ioctl+0x118\/0x280 net\/socket.c:1254<br \/>\n sock_ioctl+0x227\/0x6b0 net\/socket.c:1375<br \/>\n vfs_ioctl fs\/ioctl.c:51 [inline]\n __do_sys_ioctl fs\/ioctl.c:597 [inline]\n __se_sys_ioctl fs\/ioctl.c:583 [inline]\n __x64_sys_ioctl+0x18e\/0x210 fs\/ioctl.c:583<br \/>\n do_syscall_x64 arch\/x86\/entry\/syscall_64.c:63 [inline]\n do_syscall_64+0xcd\/0xf80 arch\/x86\/entry\/syscall_64.c:94<br \/>\n entry_SYSCALL_64_after_hwframe+0x77\/0x7f<\/p>\n<p>Freed by task 6099:<br \/>\n kasan_save_stack+0x33\/0x60 mm\/kasan\/common.c:56<br \/>\n kasan_save_track+0x14\/0x30 mm\/kasan\/common.c:77<br \/>\n kasan_save_free_info+0x3b\/0x60 mm\/kasan\/generic.c:584<br \/>\n poison_slab_object mm\/kasan\/common.c:252 [inline]\n __kasan_slab_free+0x5f\/0x80 mm\/kasan\/common.c:284<br \/>\n kasan_slab_free include\/linux\/kasan.h:234 [inline]\n slab_free_hook mm\/slub.c:2540 [inline]\n slab_free_freelist_hook mm\/slub.c:2569 [inline]\n slab_free_bulk mm\/slub.c:6696 [inline]\n kmem_cache_free_bulk mm\/slub.c:7383 [inline]\n kmem_cache_free_bulk+0x2bf\/0x680 mm\/slub.c:7362<br \/>\n kfree_bulk include\/linux\/slab.h:830 [inline]\n kvfree_rcu_bulk+0x1b7\/0x1e0 mm\/slab_common.c:1523<br \/>\n kvfree_rcu_drain_ready mm\/slab_common.c:1728 [inline]\n kfree_rcu_monitor+0x1d0\/0x2f0 mm\/slab_common.c:1801<br \/>\n process_one_work+0x9ba\/0x1b20 kernel\/workqueue.c:3257<br \/>\n process_scheduled_works kernel\/workqu<br \/>\n&#8212;truncated&#8212;<\/p>\n<p>Severity: 0.0 | NA<\/p>\n<p>Visit the link for more details, such as CVSS details, affected products, timeline, and more&#8230;\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>CVE ID : CVE-2026-23010 Published : Jan. 25, 2026, 3:15 p.m. | 1\u00a0hour, 46\u00a0minutes ago Description : In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix use-after-free in inet6_addr_del(). syzbot reported use-after-free of inet6_ifaddr in inet6_addr_del(). [0] The cited commit accidentally moved ipv6_del_addr() for mngtmpaddr before reading its ifp-&gt;flags for temporary addresses &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-75810","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/75810","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=75810"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/75810\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=75810"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=75810"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=75810"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}