ip6_gre: Use cached t->net in ip6erspan_changelink()._CVE-2026-46120

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

ip6_gre: Use cached t->net in ip6erspan_changelink().

After commit 5e72ce3e3980 ("net: ipv6: Use link netns in newlink() of
rtnl_link_ops"), ip6erspan_newlink() correctly resolves the per-netns
ip6gre hash via link_net. ip6erspan_changelink() was not converted in
that series and still uses dev_net(dev), which diverges from the
device's creation netns after IFLA_NET_NS_FD migration.

This re-inserts the tunnel into the wrong per-netns hash. The
original netns keeps a stale entry. When that netns is later
destroyed, ip6gre_exit_rtnl_net() walks the stale entry, producing a
slab-use-after-free reported by KASAN, followed by a kernel BUG at
net/core/dev.c (LIST_POISON1) in unregister_netdevice_many_notify().

Reachable from an unprivileged user namespace (unshare --user
--map-root-user --net).

ip6gre_changelink() earlier in the same file already uses the cached
t->net; only ip6erspan_changelink() has the wrong shape.

Basic Information

ID CVE-2026-46120

Source Linux

Published May 28, 2026 at 09:35

Modified May 30, 2026 at 10:47

Affected Product

Vendor Linux

Product Linux

Version 2d665034f239412927b1e71329f20f001c92da09

Affected Versions Linux Linux 2d665034f239412927b1e71329f20f001c92da09
Linux Linux 2d665034f239412927b1e71329f20f001c92da09
Linux Linux 2d665034f239412927b1e71329f20f001c92da09
Linux Linux 2d665034f239412927b1e71329f20f001c92da09
Linux Linux 2d665034f239412927b1e71329f20f001c92da09
Linux Linux c6d72628352c949629af619b77b042e0fb5245e7
Linux Linux 4.16.12
Linux Linux 4.17

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nip6_gre: Use cached t->net in ip6erspan_changelink().\n\nAfter commit 5e72ce3e3980 (\"net: ipv6: Use link netns in newlink() of\nrtnl_link_ops\"), ip6erspan_newlink() correctly resolves the per-netns\nip6gre hash via link_net. ip6erspan_changelink() was not converted in\nthat series and still uses dev_net(dev), which diverges from the\ndevice's creation netns after IFLA_NET_NS_FD migration.\n\nThis re-inserts the tunnel into the wrong per-netns hash. The\noriginal netns keeps a stale entry. When that netns is later\ndestroyed, ip6gre_exit_rtnl_net() walks the stale entry, producing a\nslab-use-after-free reported by KASAN, followed by a kernel BUG at\nnet/core/dev.c (LIST_POISON1) in unregister_netdevice_many_notify().\n\nReachable from an unprivileged user namespace (unshare --user\n--map-root-user --net).\n\nip6gre_changelink() earlier in the same file already uses the cached\nt->net; only ip6erspan_changelink() has the wrong shape.",
    "published": "2026-05-28T09:35:35.385Z",
    "modified": "2026-05-30T10:47:58.919Z",
    "type": "cve",
    "title": "ip6_gre: Use cached t->net in ip6erspan_changelink().",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/eca62bb0569de4d43a4dac06a2092a9d4ca1d702\nhttps://git.kernel.org/stable/c/311fdd26eb4443d43b909cc67a10f3a5fd1b21b2\nhttps://git.kernel.org/stable/c/e70cfb40c3a99b232cd42c6a6a10f0d8e039dc82\nhttps://git.kernel.org/stable/c/cf7fc624329e76c6394653d12353e1d033adea91\nhttps://git.kernel.org/stable/c/1d324c2f43f70c965f25c58cc3611c779adbe47e",
    "id": "CVE-2026-46120",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 2d665034f239412927b1e71329f20f001c92da09\nLinux Linux 2d665034f239412927b1e71329f20f001c92da09\nLinux Linux 2d665034f239412927b1e71329f20f001c92da09\nLinux Linux 2d665034f239412927b1e71329f20f001c92da09\nLinux Linux 2d665034f239412927b1e71329f20f001c92da09\nLinux Linux c6d72628352c949629af619b77b042e0fb5245e7\nLinux Linux 4.16.12\nLinux Linux 4.17",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "2d665034f239412927b1e71329f20f001c92da09",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply