Skip to main content

Linux CVE-2026-23316

| EUVDEUVD-2026-15263 MEDIUM
2026-03-25 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
Apr 23, 2026 - 21:27 NVD
5.5 (MEDIUM)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15263
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:27 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net: ipv4: fix ARM64 alignment fault in multipath hash seed

struct sysctl_fib_multipath_hash_seed contains two u32 fields (user_seed and mp_seed), making it an 8-byte structure with a 4-byte alignment requirement.

In fib_multipath_hash_from_keys(), the code evaluates the entire struct atomically via READ_ONCE():

mp_seed = READ_ONCE(net->ipv4.sysctl_fib_multipath_hash_seed).mp_seed;

While this silently works on GCC by falling back to unaligned regular loads which the ARM64 kernel tolerates, it causes a fatal kernel panic when compiled with Clang and LTO enabled.

Commit e35123d83ee3 ("arm64: lto: Strengthen READ_ONCE() to acquire when CONFIG_LTO=y") strengthens READ_ONCE() to use Load-Acquire instructions (ldar / ldapr) to prevent compiler reordering bugs under Clang LTO. Since the macro evaluates the full 8-byte struct, Clang emits a 64-bit ldar instruction. ARM64 architecture strictly requires ldar to be naturally aligned, thus executing it on a 4-byte aligned address triggers a strict Alignment Fault (FSC = 0x21).

Fix the read side by moving the READ_ONCE() directly to the u32 member, which emits a safe 32-bit ldar Wn.

Furthermore, Eric Dumazet pointed out that WRITE_ONCE() on the entire struct in proc_fib_multipath_hash_set_seed() is also flawed. Analysis shows that Clang splits this 8-byte write into two separate 32-bit str instructions. While this avoids an alignment fault, it destroys atomicity and exposes a tear-write vulnerability. Fix this by explicitly splitting the write into two 32-bit WRITE_ONCE() operations.

Finally, add the missing READ_ONCE() when reading user_seed in proc_fib_multipath_hash_seed() to ensure proper pairing and concurrency safety.

AnalysisAI

A memory alignment fault vulnerability exists in the Linux kernel's IPv4 multipath routing hash seed implementation that causes kernel panics on ARM64 systems when compiled with Clang and Link Time Optimization (LTO) enabled. The vulnerability affects all Linux kernel versions with the vulnerable code path in net/ipv4/route.c, specifically impacting ARM64 architectures where strict alignment requirements for Load-Acquire instructions are enforced. An attacker with local access or ability to trigger multipath hash operations could cause a denial of service by crashing the kernel, though no active exploitation has been reported in the wild.

Technical ContextAI

The vulnerability resides in the Linux kernel's IPv4 multipath routing implementation (CPE: cpe:2.3:a:linux:linux), specifically in how the sysctl_fib_multipath_hash_seed structure—containing two 32-bit u32 fields (user_seed and mp_seed)—is accessed via READ_ONCE() and WRITE_ONCE() macros. The root cause involves unsafe use of atomic read/write operations on an 8-byte structure with only 4-byte alignment. When compiled with Clang and LTO, the compiler emits ARM64 Load-Acquire (ldar) and Store-Release (stlr) instructions that require strict 64-bit natural alignment. The ARM64 ISA strictly enforces alignment for these instructions, triggering an Alignment Fault (FSC = 0x21) when the 8-byte ldar instruction attempts to execute on a 4-byte aligned address. Additionally, the 8-byte WRITE_ONCE() operation can be split into two separate 32-bit stores by Clang, destroying atomicity and creating a tear-write vulnerability where partial updates expose inconsistent state during concurrent reads. The proper fix involves moving READ_ONCE() to individual 32-bit fields and explicitly splitting writes into two separate 32-bit WRITE_ONCE() operations to maintain both correctness and architectural compliance.

RemediationAI

Upgrade to a Linux kernel version that includes the alignment fix patches referenced in the stable kernel commits. For ARM64 systems running Clang-compiled kernels with LTO enabled, apply the patches that move READ_ONCE() directly to individual 32-bit u32 fields in the multipath hash seed structure and explicitly split 8-byte writes into separate 32-bit WRITE_ONCE() operations (commit references: git.kernel.org/stable/c/4bdc94d45d5459f0149085dfc1efe733c8e14f11 and related commits). Until patching is possible, disable Clang LTO compilation (set CONFIG_LTO=n) if rebuilding the kernel locally, or avoid triggering multipath routing hash operations by disabling ECMP routing if not required. System administrators should prioritize patching for ARM64 deployments that use Clang-compiled kernels and rely on multipath routing, as the fix is straightforward and available upstream.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 5.10.251-1 -
bookworm not-affected - -
bookworm (security) fixed 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-23316 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy