{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23316", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.995Z", "datePublished": "2026-03-25T10:27:11.028Z", "dateUpdated": "2026-04-13T06:04:15.316Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-13T06:04:15.316Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv4: fix ARM64 alignment fault in multipath hash seed\n\n`struct sysctl_fib_multipath_hash_seed` contains two u32 fields\n(user_seed and mp_seed), making it an 8-byte structure with a 4-byte\nalignment requirement.\n\nIn `fib_multipath_hash_from_keys()`, the code evaluates the entire\nstruct atomically via `READ_ONCE()`:\n\n mp_seed = READ_ONCE(net->ipv4.sysctl_fib_multipath_hash_seed).mp_seed;\n\nWhile this silently works on GCC by falling back to unaligned regular\nloads which the ARM64 kernel tolerates, it causes a fatal kernel panic\nwhen compiled with Clang and LTO enabled.\n\nCommit e35123d83ee3 (\"arm64: lto: Strengthen READ_ONCE() to acquire\nwhen CONFIG_LTO=y\") strengthens `READ_ONCE()` to use Load-Acquire\ninstructions (`ldar` / `ldapr`) to prevent compiler reordering bugs\nunder Clang LTO. Since the macro evaluates the full 8-byte struct,\nClang emits a 64-bit `ldar` instruction. ARM64 architecture strictly\nrequires `ldar` to be naturally aligned, thus executing it on a 4-byte\naligned address triggers a strict Alignment Fault (FSC = 0x21).\n\nFix the read side by moving the `READ_ONCE()` directly to the `u32`\nmember, which emits a safe 32-bit `ldar Wn`.\n\nFurthermore, Eric Dumazet pointed out that `WRITE_ONCE()` on the entire\nstruct in `proc_fib_multipath_hash_set_seed()` is also flawed. Analysis\nshows that Clang splits this 8-byte write into two separate 32-bit\n`str` instructions. While this avoids an alignment fault, it destroys\natomicity and exposes a tear-write vulnerability. Fix this by\nexplicitly splitting the write into two 32-bit `WRITE_ONCE()`\noperations.\n\nFinally, add the missing `READ_ONCE()` when reading `user_seed` in\n`proc_fib_multipath_hash_seed()` to ensure proper pairing and\nconcurrency safety."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/net/ip_fib.h", "net/ipv4/sysctl_net_ipv4.c"], "versions": [{"version": "4ee2a8cace3fb9a34aea6a56426f89d26dd514f3", "lessThan": "4bdc94d45d5459f0149085dfc1efe733c8e14f11", "status": "affected", "versionType": "git"}, {"version": "4ee2a8cace3fb9a34aea6a56426f89d26dd514f3", "lessThan": "7e4ad34a8889a6a9e0f6cc7c55d02161fe31a199", "status": "affected", "versionType": "git"}, {"version": "4ee2a8cace3fb9a34aea6a56426f89d26dd514f3", "lessThan": "607e923a3c1b2120de430b3dcde25ed8ad213c0a", "status": "affected", "versionType": "git"}, {"version": "4ee2a8cace3fb9a34aea6a56426f89d26dd514f3", "lessThan": "4ee7fa6cf78ff26d783d39e2949d14c4c1cd5e7f", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/net/ip_fib.h", "net/ipv4/sysctl_net_ipv4.c"], "versions": [{"version": "6.11", "status": "affected"}, {"version": "0", "lessThan": "6.11", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/4bdc94d45d5459f0149085dfc1efe733c8e14f11"}, {"url": "https://git.kernel.org/stable/c/7e4ad34a8889a6a9e0f6cc7c55d02161fe31a199"}, {"url": "https://git.kernel.org/stable/c/607e923a3c1b2120de430b3dcde25ed8ad213c0a"}, {"url": "https://git.kernel.org/stable/c/4ee7fa6cf78ff26d783d39e2949d14c4c1cd5e7f"}], "title": "net: ipv4: fix ARM64 alignment fault in multipath hash seed", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A9108695-408B-4C1A-A58A-9B59404F6DEE", "versionEndExcluding": "6.12.77", "versionStartIncluding": "6.11.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A5E006E4-59C7-43C1-9231-62A72219F2BA", "versionEndExcluding": "6.18.17", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "69245D10-0B71-485E-80C3-A64F077004D3", "versionEndExcluding": "6.19.7", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.11:-:*:*:*:*:*:*", "matchCriteriaId": "4770BA57-3F3F-493B-8608-EC3B25254949", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv4: fix ARM64 alignment fault in multipath hash seed\n\n`struct sysctl_fib_multipath_hash_seed` contains two u32 fields\n(user_seed and mp_seed), making it an 8-byte structure with a 4-byte\nalignment requirement.\n\nIn `fib_multipath_hash_from_keys()`, the code evaluates the entire\nstruct atomically via `READ_ONCE()`:\n\n mp_seed = READ_ONCE(net->ipv4.sysctl_fib_multipath_hash_seed).mp_seed;\n\nWhile this silently works on GCC by falling back to unaligned regular\nloads which the ARM64 kernel tolerates, it causes a fatal kernel panic\nwhen compiled with Clang and LTO enabled.\n\nCommit e35123d83ee3 (\"arm64: lto: Strengthen READ_ONCE() to acquire\nwhen CONFIG_LTO=y\") strengthens `READ_ONCE()` to use Load-Acquire\ninstructions (`ldar` / `ldapr`) to prevent compiler reordering bugs\nunder Clang LTO. Since the macro evaluates the full 8-byte struct,\nClang emits a 64-bit `ldar` instruction. ARM64 architecture strictly\nrequires `ldar` to be naturally aligned, thus executing it on a 4-byte\naligned address triggers a strict Alignment Fault (FSC = 0x21).\n\nFix the read side by moving the `READ_ONCE()` directly to the `u32`\nmember, which emits a safe 32-bit `ldar Wn`.\n\nFurthermore, Eric Dumazet pointed out that `WRITE_ONCE()` on the entire\nstruct in `proc_fib_multipath_hash_set_seed()` is also flawed. Analysis\nshows that Clang splits this 8-byte write into two separate 32-bit\n`str` instructions. While this avoids an alignment fault, it destroys\natomicity and exposes a tear-write vulnerability. Fix this by\nexplicitly splitting the write into two 32-bit `WRITE_ONCE()`\noperations.\n\nFinally, add the missing `READ_ONCE()` when reading `user_seed` in\n`proc_fib_multipath_hash_seed()` to ensure proper pairing and\nconcurrency safety."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnet: ipv4: solucionar fallo de alineaci\u00f3n ARM64 en la semilla de hash multipath\n\n'struct sysctl_fib_multipath_hash_seed' contiene dos campos u32 (user_seed y mp_seed), convirti\u00e9ndola en una estructura de 8 bytes con un requisito de alineaci\u00f3n de 4 bytes.\n\nEn 'fib_multipath_hash_from_keys()', el c\u00f3digo eval\u00faa la estructura completa at\u00f3micamente a trav\u00e9s de 'READ_ONCE()':\n\n mp_seed = 'READ_ONCE'(net->ipv4.sysctl_fib_multipath_hash_seed).mp_seed;\n\nAunque esto funciona silenciosamente en GCC al recurrir a cargas regulares no alineadas que el kernel ARM64 tolera, causa un p\u00e1nico fatal del kernel cuando se compila con Clang y LTO habilitado.\n\nEl commit e35123d83ee3 ('arm64: lto: Strengthen 'READ_ONCE()' to acquire when CONFIG_LTO=y') refuerza 'READ_ONCE()' para usar instrucciones Load-Acquire ('ldar' / 'ldapr') para prevenir errores de reordenamiento del compilador bajo Clang LTO. Dado que la macro eval\u00faa la estructura completa de 8 bytes, Clang emite una instrucci\u00f3n 'ldar' de 64 bits. La arquitectura ARM64 requiere estrictamente que 'ldar' est\u00e9 naturalmente alineado, por lo tanto, ejecutarlo en una direcci\u00f3n alineada a 4 bytes desencadena un fallo de alineaci\u00f3n estricto (FSC = 0x21).\n\nSolucionar el lado de lectura moviendo 'READ_ONCE()' directamente al miembro 'u32', lo que emite un 'ldar Wn' seguro de 32 bits.\n\nAdem\u00e1s, Eric Dumazet se\u00f1al\u00f3 que 'WRITE_ONCE()' en la estructura completa en 'proc_fib_multipath_hash_set_seed()' tambi\u00e9n es defectuoso. El an\u00e1lisis muestra que Clang divide esta escritura de 8 bytes en dos instrucciones 'str' separadas de 32 bits. Aunque esto evita un fallo de alineaci\u00f3n, destruye la atomicidad y expone una vulnerabilidad de escritura fragmentada. Solucionar esto dividiendo expl\u00edcitamente la escritura en dos operaciones 'WRITE_ONCE()' de 32 bits.\n\nFinalmente, a\u00f1adir el 'READ_ONCE()' faltante al leer 'user_seed' en 'proc_fib_multipath_hash_seed()' para asegurar un emparejamiento adecuado y seguridad de concurrencia."}], "id": "CVE-2026-23316", "lastModified": "2026-04-23T21:07:02.380", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-25T11:16:28.063", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/4bdc94d45d5459f0149085dfc1efe733c8e14f11"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/4ee7fa6cf78ff26d783d39e2949d14c4c1cd5e7f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/607e923a3c1b2120de430b3dcde25ed8ad213c0a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/7e4ad34a8889a6a9e0f6cc7c55d02161fe31a199"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: net: ipv4: fix ARM64 alignment fault in multipath hash seed", "id": "2451258", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451258"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-468", "details": ["A flaw was found in the Linux kernel's handling of multipath hash seeds on ARM64 architectures. This vulnerability can lead to a system crash (kernel panic) when the kernel is compiled with specific optimizations, such as Clang with Link-Time Optimization (LTO), due to an alignment fault during memory access. Additionally, a separate issue exists where non-atomic updates to the hash seed can result in a tear-write vulnerability, potentially compromising data integrity. These issues could be triggered under specific conditions related to network multipath hashing."], "name": "CVE-2026-23316", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23316\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23316\nhttps://lore.kernel.org/linux-cve-announce/2026032530-CVE-2026-23316-2ce3@gregkh/T"], "statement": "This flaw is specific to ARM64 systems running kernels compiled with Clang LTO. The alignment fault occurs when READ_ONCE() on a 4-byte aligned 8-byte structure causes a 64-bit Load-Acquire instruction to execute on a misaligned address. Additionally, the tear-write vulnerability affects atomicity of hash seed updates. Most enterprise deployments use GCC-compiled kernels where this specific issue does not manifest.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[4ee2a8cace3fb9a34aea6a56426f89d26dd514f3,4bdc94d45d5459f0149085dfc1efe733c8e14f11)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[4ee2a8cace3fb9a34aea6a56426f89d26dd514f3,7e4ad34a8889a6a9e0f6cc7c55d02161fe31a199)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[4ee2a8cace3fb9a34aea6a56426f89d26dd514f3,607e923a3c1b2120de430b3dcde25ed8ad213c0a)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[4ee2a8cace3fb9a34aea6a56426f89d26dd514f3,4ee7fa6cf78ff26d783d39e2949d14c4c1cd5e7f)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.11"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.11)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.77,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.17,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.7,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0-rc3,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T22:11:37.613823+00:00", "value": {"mitigation_remediation": ["Update the kernel to a version that includes the commit fixing the ARM64 alignment issue (e.g., any release that incorporates commit e35123d83ee3).", "If you must compile the kernel yourself, avoid using Clang with LTO; either switch to GCC or disable LTO to prevent the unaligned load.", "If the multipath hash seed sysctl is not required in your environment, disable it to reduce the attack surface."], "summary": {"action": "Patch now", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The issue affects any Linux kernel built for ARM64 architecture that is compiled with Clang and enables LTO, before the patch that moves the READ_ONCE and WRITE_ONCE macros to operate on the individual u32 members. This includes versions such as 6.11 and pre\u2011release 7.0 RC kernels, as well as any custom builds that have not yet incorporated commit e35123d83ee3. All devices running such kernels\u2014servers, embedded systems, mobile devices\u2014are vulnerable if the ipv4 multipath hash seed sysctl is accessible.", "description_and_impact": "The vulnerability arises from an 8\u2011byte structure in the Linux kernel\u2019s IPv4 stack that is accessed on ARM64 platforms with a 64\u2011bit load that demands natural alignment. When the kernel is compiled with Clang and link\u2011time optimization, the READ_ONCE macro evaluates the full struct, resulting in a 64\u2011bit ld_ar instruction that, if placed on a 4\u2011byte aligned address, triggers a strict Alignment Fault and panics the kernel. This fault does not leak or modify data dishonestly; it merely brings the system down, resulting in a loss of availability. The weakness corresponds to atomic read/write of a non\u2011aligned structure (CWE\u2011468).", "risk_and_exploitability": "The CVSS score of 5.5 indicates moderate severity, while the EPSS rate is below 1\u202f%, suggesting a low likelihood of real\u2011world exploitation. The vulnerability is not listed in the CISA KEV catalog, so no active exploitation is documented. Based on the description, it is inferred that an attacker would need privileged operations to read or write the multipath hash seed sysctl, implying a local or elevated privilege attack vector. When triggered, the fault leads to an immediate kernel panic, causing denial of service."}}}}, "created": "2026-03-25T21:15:13.214030+00:00", "title": "ARM64 Alignment Fault in IPv4 Multipath Hash Seed Causing Kernel Panic", "updated": "2026-04-28T22:15:41.370287+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}