{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-05T13:34:33.516","vulnerabilities":[{"cve":{"id":"CVE-2026-23316","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-03-25T11:16:28.063","lastModified":"2026-04-23T21:07:02.380","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv4: fix ARM64 alignment fault in multipath hash seed\n\n`struct sysctl_fib_multipath_hash_seed` contains two u32 fields\n(user_seed and mp_seed), making it an 8-byte structure with a 4-byte\nalignment requirement.\n\nIn `fib_multipath_hash_from_keys()`, the code evaluates the entire\nstruct atomically via `READ_ONCE()`:\n\n    mp_seed = READ_ONCE(net->ipv4.sysctl_fib_multipath_hash_seed).mp_seed;\n\nWhile this silently works on GCC by falling back to unaligned regular\nloads which the ARM64 kernel tolerates, it causes a fatal kernel panic\nwhen compiled with Clang and LTO enabled.\n\nCommit e35123d83ee3 (\"arm64: lto: Strengthen READ_ONCE() to acquire\nwhen CONFIG_LTO=y\") strengthens `READ_ONCE()` to use Load-Acquire\ninstructions (`ldar` / `ldapr`) to prevent compiler reordering bugs\nunder Clang LTO. Since the macro evaluates the full 8-byte struct,\nClang emits a 64-bit `ldar` instruction. ARM64 architecture strictly\nrequires `ldar` to be naturally aligned, thus executing it on a 4-byte\naligned address triggers a strict Alignment Fault (FSC = 0x21).\n\nFix the read side by moving the `READ_ONCE()` directly to the `u32`\nmember, which emits a safe 32-bit `ldar Wn`.\n\nFurthermore, Eric Dumazet pointed out that `WRITE_ONCE()` on the entire\nstruct in `proc_fib_multipath_hash_set_seed()` is also flawed. Analysis\nshows that Clang splits this 8-byte write into two separate 32-bit\n`str` instructions. While this avoids an alignment fault, it destroys\natomicity and exposes a tear-write vulnerability. Fix this by\nexplicitly splitting the write into two 32-bit `WRITE_ONCE()`\noperations.\n\nFinally, add the missing `READ_ONCE()` when reading `user_seed` in\n`proc_fib_multipath_hash_seed()` to ensure proper pairing and\nconcurrency safety."},{"lang":"es","value":"En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnet: ipv4: solucionar fallo de alineación ARM64 en la semilla de hash multipath\n\n'struct sysctl_fib_multipath_hash_seed' contiene dos campos u32 (user_seed y mp_seed), convirtiéndola en una estructura de 8 bytes con un requisito de alineación de 4 bytes.\n\nEn 'fib_multipath_hash_from_keys()', el código evalúa la estructura completa atómicamente a través de 'READ_ONCE()':\n\n    mp_seed = 'READ_ONCE'(net->ipv4.sysctl_fib_multipath_hash_seed).mp_seed;\n\nAunque esto funciona silenciosamente en GCC al recurrir a cargas regulares no alineadas que el kernel ARM64 tolera, causa un pánico fatal del kernel cuando se compila con Clang y LTO habilitado.\n\nEl commit e35123d83ee3 ('arm64: lto: Strengthen 'READ_ONCE()' to acquire when CONFIG_LTO=y') refuerza 'READ_ONCE()' para usar instrucciones Load-Acquire ('ldar' / 'ldapr') para prevenir errores de reordenamiento del compilador bajo Clang LTO. Dado que la macro evalúa la estructura completa de 8 bytes, Clang emite una instrucción 'ldar' de 64 bits. La arquitectura ARM64 requiere estrictamente que 'ldar' esté naturalmente alineado, por lo tanto, ejecutarlo en una dirección alineada a 4 bytes desencadena un fallo de alineación estricto (FSC = 0x21).\n\nSolucionar el lado de lectura moviendo 'READ_ONCE()' directamente al miembro 'u32', lo que emite un 'ldar Wn' seguro de 32 bits.\n\nAdemás, Eric Dumazet señaló que 'WRITE_ONCE()' en la estructura completa en 'proc_fib_multipath_hash_set_seed()' también es defectuoso. El análisis muestra que Clang divide esta escritura de 8 bytes en dos instrucciones 'str' separadas de 32 bits. Aunque esto evita un fallo de alineación, destruye la atomicidad y expone una vulnerabilidad de escritura fragmentada. Solucionar esto dividiendo explícitamente la escritura en dos operaciones 'WRITE_ONCE()' de 32 bits.\n\nFinalmente, añadir el 'READ_ONCE()' faltante al leer 'user_seed' en 'proc_fib_multipath_hash_seed()' para asegurar un emparejamiento adecuado y seguridad de concurrencia."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.11.1","versionEndExcluding":"6.12.77","matchCriteriaId":"A9108695-408B-4C1A-A58A-9B59404F6DEE"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.17","matchCriteriaId":"A5E006E4-59C7-43C1-9231-62A72219F2BA"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.7","matchCriteriaId":"69245D10-0B71-485E-80C3-A64F077004D3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.11:-:*:*:*:*:*:*","matchCriteriaId":"4770BA57-3F3F-493B-8608-EC3B25254949"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/4bdc94d45d5459f0149085dfc1efe733c8e14f11","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/4ee7fa6cf78ff26d783d39e2949d14c4c1cd5e7f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/607e923a3c1b2120de430b3dcde25ed8ad213c0a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/7e4ad34a8889a6a9e0f6cc7c55d02161fe31a199","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}}]}