CVE-2026-23200

In the Linux kernel, the following vulnerability has been resolved:

ipv6: Fix ECMP sibling count mismatch when clearing RTF_ADDRCONF

syzbot reported a kernel BUG in fib6addrt2node() when adding an IPv6 route. [0]

Commit f72514b3c569 ("ipv6: clear RA flags when adding a static route") introduced logic to clear RTF_ADDRCONF from existing routes when a static route with the same nexthop is added. However, this causes a problem when the existing route has a gateway.

When RTFADDRCONF is cleared from a route that has a gateway, that route becomes eligible for ECMP, i.e. rt6qualifyforecmp() returns true. The issue is that this route was never added to the fib6_siblings list.

This leads to a mismatch between the following counts:

• The sibling count computed by iterating fib6_next chain, which includes the newly ECMP-eligible route

• The actual siblings in fib6_siblings list, which does not include that route

When a subsequent ECMP route is added, fib6addrt2node() hits BUGON(sibling->fib6nsiblings != rt->fib6_nsiblings) because the counts don't match.

Fix this by only clearing RTFADDRCONF when the existing route does not have a gateway. Routes without a gateway cannot qualify for ECMP anyway (rt6qualifyforecmp() requires fibnhgwfamily), so clearing RTFADDRCONF on them is safe and matches the original intent of the commit.

Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 0 UID: 0 PID: 6010 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 RIP: 0010:fib6addrt2node+0x3433/0x3470 net/ipv6/ip6fib.c:1217 [...] Call Trace: <TASK> fib6add+0x8da/0x18a0 net/ipv6/ip6_fib.c:1532 __ip6insrt net/ipv6/route.c:1351 [inline] ip6routeadd+0xde/0x1b0 net/ipv6/route.c:3946 ipv6routeioctl+0x35c/0x480 net/ipv6/route.c:4571 inet6ioctl+0x219/0x280 net/ipv6/afinet6.c:577 sockdoioctl+0xdc/0x300 net/socket.c:1245 sockioctl+0x576/0x790 net/socket.c:1366 vfsioctl fs/ioctl.c:51 [inline] __dosysioctl fs/ioctl.c:597 [inline] __sesysioctl+0xfc/0x170 fs/ioctl.c:583 dosyscallx64 arch/x86/entry/syscall64.c:63 [inline] dosyscall64+0xfa/0xf80 arch/x86/entry/syscall64.c:94 entrySYSCALL64afterhwframe+0x77/0x7f