In the Linux kernel, the following vulnerability has been resolved:
ipv6: Fix a potential NPD in cleanupprefixroute()
addrconfgetprefixroute() can return the fib6nullentry sentinel entry which has a NULL fib6table pointer. Therefore, before setting the route's expiration time, check that we are not working with this entry, as otherwise a NPD will be triggered [1].
Note that the other callers of addrconfgetprefix_route() are not susceptible to this bug:
addrconfprefixrcv(): Requests a route with the 'RTFADDRCONF | RTFPREFIXRT' flags which are not set on fib6null_entry.
modifyprefixroute(): Fixed by commit a747e02430df ("ipv6: avoid possible NULL deref in modifyprefixroute()").
__ipv6ifanotify(): Calls ip6delrt() which specifically checks for fib6nullentry and returns an error.
[1] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] [...] Call Trace: <TASK> __kasancheckbyte (mm/kasan/common.c:573) lockacquire.part.0 (kernel/locking/lockdep.c:5842 (discriminator 1)) rawspinlockbh (kernel/locking/spinlock.c:182 (discriminator 1)) cleanupprefixroute (net/ipv6/addrconf.c:1280) ipv6deladdr (net/ipv6/addrconf.c:1342) inet6addrdel.isra.0 (net/ipv6/addrconf.c:3119) inet6rtmdeladdr (net/ipv6/addrconf.c:4812) rtnetlinkrcvmsg (net/core/rtnetlink.c:6997) netlinkrcvskb (net/netlink/afnetlink.c:2555) netlinkunicast (net/netlink/afnetlink.c:1344) netlinksendmsg (net/netlink/afnetlink.c:1899) __sock_sendmsg (net/socket.c:802 (discriminator 4)) ____sys_sendmsg (net/socket.c:2698) ___sys_sendmsg (net/socket.c:2752) __syssendmsg (net/socket.c:2784) dosyscall64 (arch/x86/entry/syscall64.c:63 arch/x86/entry/syscall64.c:94) entrySYSCALL64afterhwframe (arch/x86/entry/entry64.S:121)
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53214.json",
"cna_assigner": "Linux"
}