CVE-2026-53214

Source
https://cve.org/CVERecord?id=CVE-2026-53214
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53214.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53214
Downstream
Related
Published
2026-06-25T08:39:18.209Z
Modified
2026-07-08T08:13:44.338736696Z
Summary
ipv6: Fix a potential NPD in cleanup_prefix_route()
Details

In the Linux kernel, the following vulnerability has been resolved:

ipv6: Fix a potential NPD in cleanupprefixroute()

addrconfgetprefixroute() can return the fib6nullentry sentinel entry which has a NULL fib6table pointer. Therefore, before setting the route's expiration time, check that we are not working with this entry, as otherwise a NPD will be triggered [1].

Note that the other callers of addrconfgetprefix_route() are not susceptible to this bug:

  1. addrconfprefixrcv(): Requests a route with the 'RTFADDRCONF | RTFPREFIXRT' flags which are not set on fib6null_entry.

  2. modifyprefixroute(): Fixed by commit a747e02430df ("ipv6: avoid possible NULL deref in modifyprefixroute()").

  3. __ipv6ifanotify(): Calls ip6delrt() which specifically checks for fib6nullentry and returns an error.

[1] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] [...] Call Trace: <TASK> __kasancheckbyte (mm/kasan/common.c:573) lockacquire.part.0 (kernel/locking/lockdep.c:5842 (discriminator 1)) rawspinlockbh (kernel/locking/spinlock.c:182 (discriminator 1)) cleanupprefixroute (net/ipv6/addrconf.c:1280) ipv6deladdr (net/ipv6/addrconf.c:1342) inet6addrdel.isra.0 (net/ipv6/addrconf.c:3119) inet6rtmdeladdr (net/ipv6/addrconf.c:4812) rtnetlinkrcvmsg (net/core/rtnetlink.c:6997) netlinkrcvskb (net/netlink/afnetlink.c:2555) netlinkunicast (net/netlink/afnetlink.c:1344) netlinksendmsg (net/netlink/afnetlink.c:1899) __sock_sendmsg (net/socket.c:802 (discriminator 4)) ____sys_sendmsg (net/socket.c:2698) ___sys_sendmsg (net/socket.c:2752) __syssendmsg (net/socket.c:2784) dosyscall64 (arch/x86/entry/syscall64.c:63 arch/x86/entry/syscall64.c:94) entrySYSCALL64afterhwframe (arch/x86/entry/entry64.S:121)

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53214.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
bd12abe294c7738421bdfbc486f1909d02db30e9
Fixed
5f82b02b4059ddc06e4fcfd057bfb59fd6885cd2
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
5eb902b8e7193cdcb33242af0a56502e6b5206e9
Fixed
192df376a05c2db15564640f9da7e20907c1fa24
Fixed
07d9a0870a178843cea44cfd58c27445dc94cf5f
Fixed
653a2849305708f75260b5296f17b2a759ff9cc7
Fixed
b70c687b7cf267fb08586667a3946c8851cad672
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
6.6.120
Fixed
6.6.143

Affected versions

v6.*
v6.6.120
v6.6.121
v6.6.122
v6.6.123
v6.6.124
v6.6.125
v6.6.126
v6.6.127
v6.6.128
v6.6.129
v6.6.130
v6.6.131
v6.6.132
v6.6.133
v6.6.134
v6.6.135
v6.6.136
v6.6.137
v6.6.138
v6.6.139
v6.6.140
v6.6.141
v6.6.142

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53214.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.6.143
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.94
Type
ECOSYSTEM
Events
Introduced
6.9.0
Fixed
6.18.36
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
7.0.13

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53214.json"