Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local access with low privilege (CAP_NET_ADMIN via user namespace) is needed, and the trigger is a narrow multi-CPU race so AC:H; a kernel UAF yields high C/I/A.
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
ipv6: anycast: insert aca into global hash under idev->lock
syzbot reported a splat [1]: a slab-use-after-free in ipv6_chk_acast_addr(), which walks the global inet6_acaddr_lst[] hash under RCU and dereferences a struct ifacaddr6 that has already been freed while still linked in the hash, so a later reader walks into a dangling node.
In __ipv6_dev_ac_inc() the aca is allocated with refcount 1, then aca_get() bumps it to 2 to keep it alive across the unlocked region. It is published to idev->ac_list under idev->lock, but ipv6_add_acaddr_hash() runs after write_unlock_bh(). A concurrent teardown (ipv6_ac_destroy_dev() from addrconf_ifdown(), under RTNL) can slip into that window:
CPU0 __ipv6_dev_ac_inc CPU1 ipv6_ac_destroy_dev (RTNL) ------------------------------ ------------------------------------ aca_alloc() refcnt 1 aca_get() refcnt 2 write_lock_bh(idev->lock) add aca to ac_list write_unlock_bh(idev->lock) write_lock_bh(idev->lock) pull aca off ac_list write_unlock_bh(idev->lock) ipv6_del_acaddr_hash(aca) hlist_del_init_rcu() is a no-op, aca is not in the hash yet aca_put() refcnt 2->1 ipv6_add_acaddr_hash(aca) aca now inserted into the hash aca_put() refcnt 1->0 call_rcu(aca_free_rcu) -> kfree(aca)
The hash removal becomes a no-op because the insertion has not happened yet, so once CPU0 inserts and drops the last reference, the aca is freed while still linked in inet6_acaddr_lst[], and readers dereference freed memory after the slab slot is reused.
This window opened once RTNL stopped serializing the join path against device teardown. Move ipv6_add_acaddr_hash() inside the idev->lock section so the ac_list and hash insertions are atomic with respect to teardown: a racing remover now either misses the aca entirely or finds it in both lists.
acaddr_hash_lock is now nested under idev->lock, which is acquired in softirq context, so switch all acaddr_hash_lock sites to spin_lock_bh() to avoid the irq lock inversion reported in [2].
[1] https://syzkaller.appspot.com/bug?extid=a01df04303c131efbf3a [2] https://lore.kernel.org/netdev/6a194ef7.ba3b1513.1890b4.0000.GAE@google.com/
AnalysisAI
Memory corruption via a use-after-free in the Linux kernel's IPv6 anycast subsystem allows a local attacker to read freed slab memory and potentially corrupt kernel state. The flaw lives in __ipv6_dev_ac_inc()/ipv6_add_acaddr_hash(), where an ifacaddr6 (aca) object is published into the global inet6_acaddr_lst[] hash outside idev->lock, opening a race with device teardown (ipv6_ac_destroy_dev) that frees the object while it is still linked in the RCU-walked hash. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local code execution with the privilege to manipulate IPv6 anycast addresses - practically CAP_NET_ADMIN, obtainable by an unprivileged user via an unprivileged user namespace, or otherwise a low-privileged local account (matching CVSS PR:L, AV:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are largely consistent and point to a real but not urgent issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local, low-privileged user (for example inside a container with CAP_NET_ADMIN in its own network namespace) repeatedly joins and leaves IPv6 anycast groups while concurrently tearing down the device, racing __ipv6_dev_ac_inc() against ipv6_ac_destroy_dev() to free an ifacaddr6 that is still linked in the global anycast hash. A second thread then walks inet6_acaddr_lst[] via ipv6_chk_acast_addr() to dereference the freed slab object, leaking kernel memory contents or, with heap grooming, corrupting adjacent objects toward privilege escalation. … |
| Remediation | Vendor-released patch: upgrade to Linux 6.18.36, 7.0.13, or 7.1, or later within your maintained branch; distribution users should apply the corresponding distro kernel update that backports stable commits 15be7e9fdbff831fb3e89b83cc337a4f85ad3310, 3a967c498baa976b11d4800dda224c507416e97c, or f723ccaff2fb72b71ae8a9fd283f0dee4d9ae7a3 (see https://git.kernel.org/stable/c/f723ccaff2fb72b71ae8a9fd283f0dee4d9ae7a3 and the sibling commits). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Enumerate Linux systems with IPv6 enabled and document current kernel versions across your environment. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-416 – Use After Free
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39210
GHSA-hqjh-c323-5jv8