CVE-2026-46099 (GCVE-0-2026-46099)

Vulnerability from cvelistv5 – Published: 2026-05-27 12:59 – Updated: 2026-05-27 12:59
VLAI
Title
net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels
Summary
In the Linux kernel, the following vulnerability has been resolved: net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels seg6_input_core() and rpl_input() call ip6_route_input() which sets a NOREF dst on the skb, then pass it to dst_cache_set_ip6() invoking dst_hold() unconditionally. On PREEMPT_RT, ksoftirqd is preemptible and a higher-priority task can release the underlying pcpu_rt between the lookup and the caching through a concurrent FIB lookup on a shared nexthop. Simplified race sequence: ksoftirqd/X higher-prio task (same CPU X) ----------- -------------------------------- seg6_input_core(,skb)/rpl_input(skb) dst_cache_get() -> miss ip6_route_input(skb) -> ip6_pol_route(,skb,flags) [RT6_LOOKUP_F_DST_NOREF in flags] -> FIB lookup resolves fib6_nh [nhid=N route] -> rt6_make_pcpu_route() [creates pcpu_rt, refcount=1] pcpu_rt->sernum = fib6_sernum [fib6_sernum=W] -> cmpxchg(fib6_nh.rt6i_pcpu, NULL, pcpu_rt) [slot was empty, store succeeds] -> skb_dst_set_noref(skb, dst) [dst is pcpu_rt, refcount still 1] rt_genid_bump_ipv6() -> bumps fib6_sernum [fib6_sernum from W to Z] ip6_route_output() -> ip6_pol_route() -> FIB lookup resolves fib6_nh [nhid=N] -> rt6_get_pcpu_route() pcpu_rt->sernum != fib6_sernum [W <> Z, stale] -> prev = xchg(rt6i_pcpu, NULL) -> dst_release(prev) [prev is pcpu_rt, refcount 1->0, dead] dst = skb_dst(skb) [dst is the dead pcpu_rt] dst_cache_set_ip6(dst) -> dst_hold() on dead dst -> WARN / use-after-free For the race to occur, ksoftirqd must be preemptible (PREEMPT_RT without PREEMPT_RT_NEEDS_BH_LOCK) and a concurrent task must be able to release the pcpu_rt. Shared nexthop objects provide such a path, as two routes pointing to the same nhid share the same fib6_nh and its rt6i_pcpu entry. Fix seg6_input_core() and rpl_input() by calling skb_dst_force() after ip6_route_input() to force the NOREF dst into a refcounted one before caching. The output path is not affected as ip6_route_output() already returns a refcounted dst.
Severity
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: af4a2209b1344939eaac11f269c261d347cbc3ee , < 6bd17925bd6866027a6555db17905b9fc073d38d (git)
Affected: af4a2209b1344939eaac11f269c261d347cbc3ee , < 52f9db67f8f35f436366cf4980b4f0a2583d0ef0 (git)
Affected: af4a2209b1344939eaac11f269c261d347cbc3ee , < b778b6d095421619c331fd2d7751143cd5387103 (git)
Affected: af4a2209b1344939eaac11f269c261d347cbc3ee , < 9dd5481f960e337b81d7dfe429529495c1c481c0 (git)
Affected: af4a2209b1344939eaac11f269c261d347cbc3ee , < f9c52a6ba9780bd27e0bf4c044fd91c13c778b6e (git)
Create a notification for this product.
Linux Linux Affected: 4.12
Unaffected: 0 , < 4.12 (semver)
Unaffected: 6.6.140 , ≤ 6.6.* (semver)
Unaffected: 6.12.86 , ≤ 6.12.* (semver)
Unaffected: 6.18.27 , ≤ 6.18.* (semver)
Unaffected: 7.0.4 , ≤ 7.0.* (semver)
Unaffected: 7.1-rc2 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/rpl_iptunnel.c",
            "net/ipv6/seg6_iptunnel.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6bd17925bd6866027a6555db17905b9fc073d38d",
              "status": "affected",
              "version": "af4a2209b1344939eaac11f269c261d347cbc3ee",
              "versionType": "git"
            },
            {
              "lessThan": "52f9db67f8f35f436366cf4980b4f0a2583d0ef0",
              "status": "affected",
              "version": "af4a2209b1344939eaac11f269c261d347cbc3ee",
              "versionType": "git"
            },
            {
              "lessThan": "b778b6d095421619c331fd2d7751143cd5387103",
              "status": "affected",
              "version": "af4a2209b1344939eaac11f269c261d347cbc3ee",
              "versionType": "git"
            },
            {
              "lessThan": "9dd5481f960e337b81d7dfe429529495c1c481c0",
              "status": "affected",
              "version": "af4a2209b1344939eaac11f269c261d347cbc3ee",
              "versionType": "git"
            },
            {
              "lessThan": "f9c52a6ba9780bd27e0bf4c044fd91c13c778b6e",
              "status": "affected",
              "version": "af4a2209b1344939eaac11f269c261d347cbc3ee",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/rpl_iptunnel.c",
            "net/ipv6/seg6_iptunnel.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.12"
            },
            {
              "lessThan": "4.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1-rc2",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1-rc2",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels\n\nseg6_input_core() and rpl_input() call ip6_route_input() which sets a\nNOREF dst on the skb, then pass it to dst_cache_set_ip6() invoking\ndst_hold() unconditionally.\nOn PREEMPT_RT, ksoftirqd is preemptible and a higher-priority task can\nrelease the underlying pcpu_rt between the lookup and the caching\nthrough a concurrent FIB lookup on a shared nexthop.\nSimplified race sequence:\n\n  ksoftirqd/X                       higher-prio task (same CPU X)\n  -----------                       --------------------------------\n  seg6_input_core(,skb)/rpl_input(skb)\n    dst_cache_get()\n      -\u003e miss\n    ip6_route_input(skb)\n      -\u003e ip6_pol_route(,skb,flags)\n         [RT6_LOOKUP_F_DST_NOREF in flags]\n        -\u003e FIB lookup resolves fib6_nh\n           [nhid=N route]\n        -\u003e rt6_make_pcpu_route()\n           [creates pcpu_rt, refcount=1]\n             pcpu_rt-\u003esernum = fib6_sernum\n             [fib6_sernum=W]\n           -\u003e cmpxchg(fib6_nh.rt6i_pcpu,\n                      NULL, pcpu_rt)\n              [slot was empty, store succeeds]\n      -\u003e skb_dst_set_noref(skb, dst)\n         [dst is pcpu_rt, refcount still 1]\n\n                                    rt_genid_bump_ipv6()\n                                      -\u003e bumps fib6_sernum\n                                         [fib6_sernum from W to Z]\n                                    ip6_route_output()\n                                      -\u003e ip6_pol_route()\n                                        -\u003e FIB lookup resolves fib6_nh\n                                           [nhid=N]\n                                        -\u003e rt6_get_pcpu_route()\n                                             pcpu_rt-\u003esernum != fib6_sernum\n                                             [W \u003c\u003e Z, stale]\n                                          -\u003e prev = xchg(rt6i_pcpu, NULL)\n                                          -\u003e dst_release(prev)\n                                             [prev is pcpu_rt,\n                                              refcount 1-\u003e0, dead]\n\n    dst = skb_dst(skb)\n    [dst is the dead pcpu_rt]\n    dst_cache_set_ip6(dst)\n      -\u003e dst_hold() on dead dst\n      -\u003e WARN / use-after-free\n\nFor the race to occur, ksoftirqd must be preemptible (PREEMPT_RT without\nPREEMPT_RT_NEEDS_BH_LOCK) and a concurrent task must be able to release\nthe pcpu_rt. Shared nexthop objects provide such a path, as two routes\npointing to the same nhid share the same fib6_nh and its rt6i_pcpu\nentry.\n\nFix seg6_input_core() and rpl_input() by calling skb_dst_force() after\nip6_route_input() to force the NOREF dst into a refcounted one before\ncaching.\nThe output path is not affected as ip6_route_output() already returns a\nrefcounted dst."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T12:59:04.628Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6bd17925bd6866027a6555db17905b9fc073d38d"
        },
        {
          "url": "https://git.kernel.org/stable/c/52f9db67f8f35f436366cf4980b4f0a2583d0ef0"
        },
        {
          "url": "https://git.kernel.org/stable/c/b778b6d095421619c331fd2d7751143cd5387103"
        },
        {
          "url": "https://git.kernel.org/stable/c/9dd5481f960e337b81d7dfe429529495c1c481c0"
        },
        {
          "url": "https://git.kernel.org/stable/c/f9c52a6ba9780bd27e0bf4c044fd91c13c778b6e"
        }
      ],
      "title": "net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46099",
    "datePublished": "2026-05-27T12:59:04.628Z",
    "dateReserved": "2026-05-13T15:03:33.097Z",
    "dateUpdated": "2026-05-27T12:59:04.628Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-46099",
      "date": "2026-05-29",
      "epss": "0.00018",
      "percentile": "0.05164"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-46099\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-27T14:17:31.557\",\"lastModified\":\"2026-05-27T14:48:03.013\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels\\n\\nseg6_input_core() and rpl_input() call ip6_route_input() which sets a\\nNOREF dst on the skb, then pass it to dst_cache_set_ip6() invoking\\ndst_hold() unconditionally.\\nOn PREEMPT_RT, ksoftirqd is preemptible and a higher-priority task can\\nrelease the underlying pcpu_rt between the lookup and the caching\\nthrough a concurrent FIB lookup on a shared nexthop.\\nSimplified race sequence:\\n\\n  ksoftirqd/X                       higher-prio task (same CPU X)\\n  -----------                       --------------------------------\\n  seg6_input_core(,skb)/rpl_input(skb)\\n    dst_cache_get()\\n      -\u003e miss\\n    ip6_route_input(skb)\\n      -\u003e ip6_pol_route(,skb,flags)\\n         [RT6_LOOKUP_F_DST_NOREF in flags]\\n        -\u003e FIB lookup resolves fib6_nh\\n           [nhid=N route]\\n        -\u003e rt6_make_pcpu_route()\\n           [creates pcpu_rt, refcount=1]\\n             pcpu_rt-\u003esernum = fib6_sernum\\n             [fib6_sernum=W]\\n           -\u003e cmpxchg(fib6_nh.rt6i_pcpu,\\n                      NULL, pcpu_rt)\\n              [slot was empty, store succeeds]\\n      -\u003e skb_dst_set_noref(skb, dst)\\n         [dst is pcpu_rt, refcount still 1]\\n\\n                                    rt_genid_bump_ipv6()\\n                                      -\u003e bumps fib6_sernum\\n                                         [fib6_sernum from W to Z]\\n                                    ip6_route_output()\\n                                      -\u003e ip6_pol_route()\\n                                        -\u003e FIB lookup resolves fib6_nh\\n                                           [nhid=N]\\n                                        -\u003e rt6_get_pcpu_route()\\n                                             pcpu_rt-\u003esernum != fib6_sernum\\n                                             [W \u003c\u003e Z, stale]\\n                                          -\u003e prev = xchg(rt6i_pcpu, NULL)\\n                                          -\u003e dst_release(prev)\\n                                             [prev is pcpu_rt,\\n                                              refcount 1-\u003e0, dead]\\n\\n    dst = skb_dst(skb)\\n    [dst is the dead pcpu_rt]\\n    dst_cache_set_ip6(dst)\\n      -\u003e dst_hold() on dead dst\\n      -\u003e WARN / use-after-free\\n\\nFor the race to occur, ksoftirqd must be preemptible (PREEMPT_RT without\\nPREEMPT_RT_NEEDS_BH_LOCK) and a concurrent task must be able to release\\nthe pcpu_rt. Shared nexthop objects provide such a path, as two routes\\npointing to the same nhid share the same fib6_nh and its rt6i_pcpu\\nentry.\\n\\nFix seg6_input_core() and rpl_input() by calling skb_dst_force() after\\nip6_route_input() to force the NOREF dst into a refcounted one before\\ncaching.\\nThe output path is not affected as ip6_route_output() already returns a\\nrefcounted dst.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/52f9db67f8f35f436366cf4980b4f0a2583d0ef0\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6bd17925bd6866027a6555db17905b9fc073d38d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9dd5481f960e337b81d7dfe429529495c1c481c0\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/b778b6d095421619c331fd2d7751143cd5387103\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f9c52a6ba9780bd27e0bf4c044fd91c13c778b6e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.