{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-53012","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-06-09T07:44:35.378Z","datePublished":"2026-06-24T16:29:22.973Z","dateUpdated":"2026-06-24T16:29:22.973Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-06-24T16:29:22.973Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnexthop: fix IPv6 route referencing IPv4 nexthop\n\nsyzbot reported a panic [1] [2].\n\nWhen an IPv6 nexthop is replaced with an IPv4 nexthop, the has_v4 flag\nof all groups containing this nexthop is not updated. This is because\nnh_group_v4_update is only called when replacing AF_INET to AF_INET6,\nbut the reverse direction (AF_INET6 to AF_INET) is missed.\n\nThis allows a stale has_v4=false to bypass fib6_check_nexthop, causing\nIPv6 routes to be attached to groups that effectively contain only AF_INET\nmembers. Subsequent route lookups then call nexthop_fib6_nh() which\nreturns NULL for the AF_INET member, leading to a NULL pointer\ndereference.\n\nFix by calling nh_group_v4_update whenever the family changes, not just\nAF_INET to AF_INET6.\n\nReproducer:\n\t# AF_INET6 blackhole\n\tip -6 nexthop add id 1 blackhole\n\t# group with has_v4=false\n\tip nexthop add id 100 group 1\n\t# replace with AF_INET (no -6), has_v4 stays false\n\tip nexthop replace id 1 blackhole\n\t# pass stale has_v4 check\n\tip -6 route add 2001:db8::/64 nhid 100\n\t# panic\n\tping -6 2001:db8::1\n\n[1] https://syzkaller.appspot.com/bug?id=e17283eb2f8dcf3dd9b47fe6f67a95f71faadad0\n[2] https://syzkaller.appspot.com/bug?id=8699b6ae54c9f35837d925686208402949e12ef3"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/ipv4/nexthop.c"],"versions":[{"version":"7bf4796dd09984ad1612877a82d0d139c70ae27f","lessThan":"ceffe81a0be92afc0cd1340bc8ca46559cce9bb4","status":"affected","versionType":"git"},{"version":"7bf4796dd09984ad1612877a82d0d139c70ae27f","lessThan":"9c2d6770a5f4545a307eb66979bef7656a34d621","status":"affected","versionType":"git"},{"version":"7bf4796dd09984ad1612877a82d0d139c70ae27f","lessThan":"6275796f22bb382f3e9aa58ed0b4ef7bdad78cb8","status":"affected","versionType":"git"},{"version":"7bf4796dd09984ad1612877a82d0d139c70ae27f","lessThan":"aaac3bed034239e1d75732211d9b05f30b0b4f35","status":"affected","versionType":"git"},{"version":"7bf4796dd09984ad1612877a82d0d139c70ae27f","lessThan":"ad85961004fd4bd2f31209ac4b07612c6cefb9e7","status":"affected","versionType":"git"},{"version":"7bf4796dd09984ad1612877a82d0d139c70ae27f","lessThan":"613c8f4a501421dd258b07ea614205d4e16ec845","status":"affected","versionType":"git"},{"version":"7bf4796dd09984ad1612877a82d0d139c70ae27f","lessThan":"b3b7e850e1541f0520c4a12ec884255c30427ff6","status":"affected","versionType":"git"},{"version":"7bf4796dd09984ad1612877a82d0d139c70ae27f","lessThan":"29c95185ba32b621fbc3800fb86e7dc3edf5c2be","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/ipv4/nexthop.c"],"versions":[{"version":"5.3","status":"affected"},{"version":"0","lessThan":"5.3","status":"unaffected","versionType":"semver"},{"version":"5.10.258","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.209","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.175","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.141","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.91","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.33","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"7.0.10","lessThanOrEqual":"7.0.*","status":"unaffected","versionType":"semver"},{"version":"7.1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"5.10.258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"5.15.209"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"6.1.175"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"6.6.141"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"6.12.91"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"6.18.33"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"7.0.10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"7.1"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/ceffe81a0be92afc0cd1340bc8ca46559cce9bb4"},{"url":"https://git.kernel.org/stable/c/9c2d6770a5f4545a307eb66979bef7656a34d621"},{"url":"https://git.kernel.org/stable/c/6275796f22bb382f3e9aa58ed0b4ef7bdad78cb8"},{"url":"https://git.kernel.org/stable/c/aaac3bed034239e1d75732211d9b05f30b0b4f35"},{"url":"https://git.kernel.org/stable/c/ad85961004fd4bd2f31209ac4b07612c6cefb9e7"},{"url":"https://git.kernel.org/stable/c/613c8f4a501421dd258b07ea614205d4e16ec845"},{"url":"https://git.kernel.org/stable/c/b3b7e850e1541f0520c4a12ec884255c30427ff6"},{"url":"https://git.kernel.org/stable/c/29c95185ba32b621fbc3800fb86e7dc3edf5c2be"}],"title":"nexthop: fix IPv6 route referencing IPv4 nexthop","x_generator":{"engine":"bippy-1.2.0"}}}}