{"id":75816,"date":"2026-01-25T18:45:55","date_gmt":"2026-01-25T15:15:55","guid":{"rendered":"https:\/\/afaghhosting.net\/blog\/cve-2026-23004-dst-fix-races-in-rt6_uncached_list_del-and-rt_del_uncached_list\/"},"modified":"2026-01-25T18:45:55","modified_gmt":"2026-01-25T15:15:55","slug":"cve-2026-23004-dst-fix-races-in-rt6_uncached_list_del-and-rt_del_uncached_list","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cve-2026-23004-dst-fix-races-in-rt6_uncached_list_del-and-rt_del_uncached_list\/","title":{"rendered":"CVE-2026-23004 &#8211; dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list()"},"content":{"rendered":"<p>CVE ID : CVE-2026-23004<\/p>\n<p>Published :  Jan. 25, 2026, 3:15 p.m. | 1\u00a0hour, 46\u00a0minutes ago<\/p>\n<p>Description : In the Linux kernel, the following vulnerability has been resolved:<\/p>\n<p>dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list()<\/p>\n<p>syzbot was able to crash the kernel in rt6_uncached_list_flush_dev()<br \/>\nin an interesting way [1]\n<p>Crash happens in list_del_init()\/INIT_LIST_HEAD() while writing<br \/>\nlist-&gt;prev, while the prior write on list-&gt;next went well.<\/p>\n<p>static inline void INIT_LIST_HEAD(struct list_head *list)<br \/>\n{<br \/>\n\tWRITE_ONCE(list-&gt;next, list); \/\/ This went well<br \/>\n\tWRITE_ONCE(list-&gt;prev, list); \/\/ Crash, @list has been freed.<br \/>\n}<\/p>\n<p>Issue here is that rt6_uncached_list_del() did not attempt to lock<br \/>\nul-&gt;lock, as list_empty(&amp;rt-&gt;dst.rt_uncached) returned<br \/>\ntrue because the WRITE_ONCE(list-&gt;next, list) happened on the other CPU.<\/p>\n<p>We might use list_del_init_careful() and list_empty_careful(),<br \/>\nor make sure rt6_uncached_list_del() always grabs the spinlock<br \/>\nwhenever rt-&gt;dst.rt_uncached_list has been set.<\/p>\n<p>A similar fix is neeed for IPv4.<\/p>\n[1]\n<p> BUG: KASAN: slab-use-after-free in INIT_LIST_HEAD include\/linux\/list.h:46 [inline]\n BUG: KASAN: slab-use-after-free in list_del_init include\/linux\/list.h:296 [inline]\n BUG: KASAN: slab-use-after-free in rt6_uncached_list_flush_dev net\/ipv6\/route.c:191 [inline]\n BUG: KASAN: slab-use-after-free in rt6_disable_ip+0x633\/0x730 net\/ipv6\/route.c:5020<br \/>\nWrite of size 8 at addr ffff8880294cfa78 by task kworker\/u8:14\/3450<\/p>\n<p>CPU: 0 UID: 0 PID: 3450 Comm: kworker\/u8:14 Tainted: G             L      syzkaller #0 PREEMPT_{RT,(full)}<br \/>\nTainted: [L]=SOFTLOCKUP<br \/>\nHardware name: Google Google Compute Engine\/Google Compute Engine, BIOS Google 10\/25\/2025<br \/>\nWorkqueue: netns cleanup_net<br \/>\nCall Trace:<\/p>\n<p>  dump_stack_lvl+0xe8\/0x150 lib\/dump_stack.c:120<br \/>\n  print_address_description mm\/kasan\/report.c:378 [inline]\n  print_report+0xca\/0x240 mm\/kasan\/report.c:482<br \/>\n  kasan_report+0x118\/0x150 mm\/kasan\/report.c:595<br \/>\n  INIT_LIST_HEAD include\/linux\/list.h:46 [inline]\n  list_del_init include\/linux\/list.h:296 [inline]\n  rt6_uncached_list_flush_dev net\/ipv6\/route.c:191 [inline]\n  rt6_disable_ip+0x633\/0x730 net\/ipv6\/route.c:5020<br \/>\n  addrconf_ifdown+0x143\/0x18a0 net\/ipv6\/addrconf.c:3853<br \/>\n addrconf_notify+0x1bc\/0x1050 net\/ipv6\/addrconf.c:-1<br \/>\n  notifier_call_chain+0x19d\/0x3a0 kernel\/notifier.c:85<br \/>\n  call_netdevice_notifiers_extack net\/core\/dev.c:2268 [inline]\n  call_netdevice_notifiers net\/core\/dev.c:2282 [inline]\n  netif_close_many+0x29c\/0x410 net\/core\/dev.c:1785<br \/>\n  unregister_netdevice_many_notify+0xb50\/0x2330 net\/core\/dev.c:12353<br \/>\n  ops_exit_rtnl_list net\/core\/net_namespace.c:187 [inline]\n  ops_undo_list+0x3dc\/0x990 net\/core\/net_namespace.c:248<br \/>\n  cleanup_net+0x4de\/0x7b0 net\/core\/net_namespace.c:696<br \/>\n  process_one_work kernel\/workqueue.c:3257 [inline]\n  process_scheduled_works+0xad1\/0x1770 kernel\/workqueue.c:3340<br \/>\n  worker_thread+0x8a0\/0xda0 kernel\/workqueue.c:3421<br \/>\n  kthread+0x711\/0x8a0 kernel\/kthread.c:463<br \/>\n  ret_from_fork+0x510\/0xa50 arch\/x86\/kernel\/process.c:158<br \/>\n  ret_from_fork_asm+0x1a\/0x30 arch\/x86\/entry\/entry_64.S:246<\/p>\n<p>Allocated by task 803:<br \/>\n  kasan_save_stack mm\/kasan\/common.c:57 [inline]\n  kasan_save_track+0x3e\/0x80 mm\/kasan\/common.c:78<br \/>\n  unpoison_slab_object mm\/kasan\/common.c:340 [inline]\n  __kasan_slab_alloc+0x6c\/0x80 mm\/kasan\/common.c:366<br \/>\n  kasan_slab_alloc include\/linux\/kasan.h:253 [inline]\n  slab_post_alloc_hook mm\/slub.c:4953 [inline]\n  slab_alloc_node mm\/slub.c:5263 [inline]\n  kmem_cache_alloc_noprof+0x18d\/0x6c0 mm\/slub.c:5270<br \/>\n  dst_alloc+0x105\/0x170 net\/core\/dst.c:89<br \/>\n  ip6_dst_alloc net\/ipv6\/route.c:342 [inline]\n  icmp6_dst_alloc+0x75\/0x460 net\/ipv6\/route.c:3333<br \/>\n  mld_sendpack+0x683\/0xe60 net\/ipv6\/mcast.c:1844<br \/>\n  mld_send_cr net\/ipv6\/mcast.c:2154 [inline]\n  mld_ifc_work+0x83e\/0xd60 net\/ipv6\/mcast.c:2693<br \/>\n  process_one_work kernel\/workqueue.c:3257 [inline]\n  process_scheduled_works+0xad1\/0x1770 kernel\/workqueue.c:3340<br \/>\n  worker_thread+0x8a0\/0xda0 kernel\/workqueue.c:3421<br \/>\n  kthread+0x711\/0x8a0 kernel\/kthread.c:463<br \/>\n  ret_from_fork+0x510\/0xa50 arch\/x86\/kernel\/process.c:158<br \/>\n  ret_from_fork_asm+0x1a\/0x30 arch\/x86\/entry\/entr<br \/>\n&#8212;truncated&#8212;<\/p>\n<p>Severity: 0.0 | NA<\/p>\n<p>Visit the link for more details, such as CVSS details, affected products, timeline, and more&#8230;\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>CVE ID : CVE-2026-23004 Published : Jan. 25, 2026, 3:15 p.m. | 1\u00a0hour, 46\u00a0minutes ago Description : In the Linux kernel, the following vulnerability has been resolved: dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list() syzbot was able to crash the kernel in rt6_uncached_list_flush_dev() in an interesting way [1] Crash happens in list_del_init()\/INIT_LIST_HEAD() while writing list-&gt;prev, &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-75816","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/75816","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=75816"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/75816\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=75816"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=75816"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=75816"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}