CVE-2026-23300Missing Initialization of Resource in Linux

CWE-909Missing Initialization of Resource8 documents7 sources
Severity
7.5HIGH
No vector
EPSS
0.0%
top 90.94%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
LinuxLinux KernelDebian Linux+1 more
Timeline
PublishedMar 25

Description

In the Linux kernel, the following vulnerability has been resolved: net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop When a standalone IPv6 nexthop object is created with a loopback device (e.g., "ip -6 nexthop add id 100 dev lo"), fib6_nh_init() misclassifies it as a reject route. This is because nexthop objects have no destination prefix (fc_dst=::), causing fib6_is_reject() to match any loopback nexthop. The reject path skips fib_nh_common_init(), leaving nhc_pcpu_rth_o

Affected Packages5 packages

Linuxlinux/linux_kernel5.3.06.1.167+4
Debianlinux/linux_kernel< 6.19.8-1
CVEListV5linux/linux493ced1ac47c48bb86d9d4e8e87df8592be85a0eb5062fc2150614c9ea8a611c2e0cb6e047ebfa3a+6
debiandebian/linux< linux 6.19.8-1 (forky)

🔴Vulnerability Details

3
OSV
CVE-2026-23300: In the Linux kernel, the following vulnerability has been resolved: net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop When a stand2026-03-25
OSV
net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop2026-03-25
GHSA
GHSA-77gg-4hmh-hwxc: In the Linux kernel, the following vulnerability has been resolved: net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop When a sta2026-03-25

📋Vendor Advisories

3
Red Hat
kernel: net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop2026-03-25
Microsoft
net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop2026-03-10
Debian
CVE-2026-23300: linux - In the Linux kernel, the following vulnerability has been resolved: net: ipv6: ...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-23300 Impact, Exploitability, and Mitigation Steps | Wiz