GHSA-VCMV-6VCP-286Q

Vulnerability from github – Published: 2026-03-25 12:30 – Updated: 2026-03-25 12:30
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

net: ipv4: fix ARM64 alignment fault in multipath hash seed

struct sysctl_fib_multipath_hash_seed contains two u32 fields (user_seed and mp_seed), making it an 8-byte structure with a 4-byte alignment requirement.

In fib_multipath_hash_from_keys(), the code evaluates the entire struct atomically via READ_ONCE():

mp_seed = READ_ONCE(net->ipv4.sysctl_fib_multipath_hash_seed).mp_seed;

While this silently works on GCC by falling back to unaligned regular loads which the ARM64 kernel tolerates, it causes a fatal kernel panic when compiled with Clang and LTO enabled.

Commit e35123d83ee3 ("arm64: lto: Strengthen READ_ONCE() to acquire when CONFIG_LTO=y") strengthens READ_ONCE() to use Load-Acquire instructions (ldar / ldapr) to prevent compiler reordering bugs under Clang LTO. Since the macro evaluates the full 8-byte struct, Clang emits a 64-bit ldar instruction. ARM64 architecture strictly requires ldar to be naturally aligned, thus executing it on a 4-byte aligned address triggers a strict Alignment Fault (FSC = 0x21).

Fix the read side by moving the READ_ONCE() directly to the u32 member, which emits a safe 32-bit ldar Wn.

Furthermore, Eric Dumazet pointed out that WRITE_ONCE() on the entire struct in proc_fib_multipath_hash_set_seed() is also flawed. Analysis shows that Clang splits this 8-byte write into two separate 32-bit str instructions. While this avoids an alignment fault, it destroys atomicity and exposes a tear-write vulnerability. Fix this by explicitly splitting the write into two 32-bit WRITE_ONCE() operations.

Finally, add the missing READ_ONCE() when reading user_seed in proc_fib_multipath_hash_seed() to ensure proper pairing and concurrency safety.

Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2026-23316"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-25T11:16:28Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv4: fix ARM64 alignment fault in multipath hash seed\n\n`struct sysctl_fib_multipath_hash_seed` contains two u32 fields\n(user_seed and mp_seed), making it an 8-byte structure with a 4-byte\nalignment requirement.\n\nIn `fib_multipath_hash_from_keys()`, the code evaluates the entire\nstruct atomically via `READ_ONCE()`:\n\n    mp_seed = READ_ONCE(net-\u003eipv4.sysctl_fib_multipath_hash_seed).mp_seed;\n\nWhile this silently works on GCC by falling back to unaligned regular\nloads which the ARM64 kernel tolerates, it causes a fatal kernel panic\nwhen compiled with Clang and LTO enabled.\n\nCommit e35123d83ee3 (\"arm64: lto: Strengthen READ_ONCE() to acquire\nwhen CONFIG_LTO=y\") strengthens `READ_ONCE()` to use Load-Acquire\ninstructions (`ldar` / `ldapr`) to prevent compiler reordering bugs\nunder Clang LTO. Since the macro evaluates the full 8-byte struct,\nClang emits a 64-bit `ldar` instruction. ARM64 architecture strictly\nrequires `ldar` to be naturally aligned, thus executing it on a 4-byte\naligned address triggers a strict Alignment Fault (FSC = 0x21).\n\nFix the read side by moving the `READ_ONCE()` directly to the `u32`\nmember, which emits a safe 32-bit `ldar Wn`.\n\nFurthermore, Eric Dumazet pointed out that `WRITE_ONCE()` on the entire\nstruct in `proc_fib_multipath_hash_set_seed()` is also flawed. Analysis\nshows that Clang splits this 8-byte write into two separate 32-bit\n`str` instructions. While this avoids an alignment fault, it destroys\natomicity and exposes a tear-write vulnerability. Fix this by\nexplicitly splitting the write into two 32-bit `WRITE_ONCE()`\noperations.\n\nFinally, add the missing `READ_ONCE()` when reading `user_seed` in\n`proc_fib_multipath_hash_seed()` to ensure proper pairing and\nconcurrency safety.",
  "id": "GHSA-vcmv-6vcp-286q",
  "modified": "2026-03-25T12:30:22Z",
  "published": "2026-03-25T12:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23316"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4bdc94d45d5459f0149085dfc1efe733c8e14f11"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4ee7fa6cf78ff26d783d39e2949d14c4c1cd5e7f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/607e923a3c1b2120de430b3dcde25ed8ad213c0a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7e4ad34a8889a6a9e0f6cc7c55d02161fe31a199"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.