HOMEVULNERABILITIESCVE-2026-23200
NONE

CVE-2026-23200

Published: February 14, 2026· Updated: Feb 18, 2026

EPSS:0.02%probability of exploitation in 30 daysPercentile:4.2th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

ipv6: Fix ECMP sibling count mismatch when clearing RTF_ADDRCONF

syzbot reported a kernel BUG in fib6_add_rt2node() when adding an IPv6

route. [0]

Commit f72514b3c569 ("ipv6: clear RA flags when adding a static

route") introduced logic to clear RTF_ADDRCONF from existing routes

when a static route with the same nexthop is added. However, this

causes a problem when the existing route has a gateway.

When RTF_ADDRCONF is cleared from a route that has a gateway, that

route becomes eligible for ECMP, i.e. rt6_qualify_for_ecmp() returns

true. The issue is that this route was never added to the

fib6_siblings list.

This leads to a mismatch between the following counts:

- The sibling count computed by iterating fib6_next chain, which

includes the newly ECMP-eligible route

- The actual siblings in fib6_siblings list, which does not include

that route

When a subsequent ECMP route is added, fib6_add_rt2node() hits

BUG_ON(sibling->fib6_nsiblings != rt->fib6_nsiblings) because the

counts don't match.

Fix this by only clearing RTF_ADDRCONF when the existing route does

not have a gateway. Routes without a gateway cannot qualify for ECMP

anyway (rt6_qualify_for_ecmp() requires fib_nh_gw_family), so clearing

RTF_ADDRCONF on them is safe and matches the original intent of the

commit.

[0]:

kernel BUG at net/ipv6/ip6_fib.c:1217!

Oops: invalid opcode: 0000 [#1] SMP KASAN PTI

CPU: 0 UID: 0 PID: 6010 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025

RIP: 0010:fib6_add_rt2node+0x3433/0x3470 net/ipv6/ip6_fib.c:1217

[...]

Call Trace:

<TASK>

fib6_add+0x8da/0x18a0 net/ipv6/ip6_fib.c:1532

__ip6_ins_rt net/ipv6/route.c:1351 [inline]

ip6_route_add+0xde/0x1b0 net/ipv6/route.c:3946

ipv6_route_ioctl+0x35c/0x480 net/ipv6/route.c:4571

inet6_ioctl+0x219/0x280 net/ipv6/af_inet6.c:577

sock_do_ioctl+0xdc/0x300 net/socket.c:1245

sock_ioctl+0x576/0x790 net/socket.c:1366

vfs_ioctl fs/ioctl.c:51 [inline]

__do_sys_ioctl fs/ioctl.c:597 [inline]

__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583

do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]

do_syscall_64+0xfa/0xf80 arch/x86/entry/syscall_64.c:94

entry_SYSCALL_64_after_hwframe+0x77/0x7f

NVD Source

Technical Analysis

CVE-2026-23200 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
GoogleLinux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (4)

Quick Facts

CVE IDCVE-2026-23200
SeverityNONE
CISA KEVNo
EPSS (30d)0.02%
PublishedFeb 14, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-23200 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.