net: ipv6: fix NOREF dst use in seg6 and rpl...

8.1 / 10

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels

seg6_input_core() and rpl_input() call ip6_route_input() which sets a
NOREF dst on the skb, then pass it to dst_cache_set_ip6() invoking
dst_hold() unconditionally.
On PREEMPT_RT, ksoftirqd is preemptible and a higher-priority task can
release the underlying pcpu_rt between the lookup and the caching
through a concurrent FIB lookup on a shared nexthop.
Simplified race sequence:

ksoftirqd/X higher-prio task (same CPU X)
----------- --------------------------------
seg6_input_core(,skb)/rpl_input(skb)
dst_cache_get()
-> miss
ip6_route_input(skb)
-> ip6_pol_route(,skb,flags)
[RT6_LOOKUP_F_DST_NOREF in flags]
-> FIB lookup resolves fib6_nh
[nhid=N route]
-> rt6_make_pcpu_route()
[creates pcpu_rt, refcount=1]
pcpu_rt->sernum = fib6_sernum
[fib6_sernum=W]
-> cmpxchg(fib6_nh.rt6i_pcpu,
NULL, pcpu_rt)
[slot was empty, store succeeds]
-> skb_dst_set_noref(skb, dst)
[dst is pcpu_rt, refcount still 1]

rt_genid_bump_ipv6()
-> bumps fib6_sernum
[fib6_sernum from W to Z]
ip6_route_output()
-> ip6_pol_route()
-> FIB lookup resolves fib6_nh
[nhid=N]
-> rt6_get_pcpu_route()
pcpu_rt->sernum != fib6_sernum
[W <> Z, stale]
-> prev = xchg(rt6i_pcpu, NULL)
-> dst_release(prev)
[prev is pcpu_rt,
refcount 1->0, dead]

dst = skb_dst(skb)
[dst is the dead pcpu_rt]
dst_cache_set_ip6(dst)
-> dst_hold() on dead dst
-> WARN / use-after-free

For the race to occur, ksoftirqd must be preemptible (PREEMPT_RT without
PREEMPT_RT_NEEDS_BH_LOCK) and a concurrent task must be able to release
the pcpu_rt. Shared nexthop objects provide such a path, as two routes
pointing to the same nhid share the same fib6_nh and its rt6i_pcpu
entry.

Fix seg6_input_core() and rpl_input() by calling skb_dst_force() after
ip6_route_input() to force the NOREF dst into a refcounted one before
caching.
The output path is not affected as ip6_route_output() already returns a
refcounted dst.

Basic Information

ID CVE-2026-46099

Source Linux

Published May 27, 2026 at 12:59

Modified May 30, 2026 at 10:47

Affected Product

Vendor Linux

Product Linux

Version af4a2209b1344939eaac11f269c261d347cbc3ee

Affected Versions Linux Linux af4a2209b1344939eaac11f269c261d347cbc3ee
Linux Linux af4a2209b1344939eaac11f269c261d347cbc3ee
Linux Linux af4a2209b1344939eaac11f269c261d347cbc3ee
Linux Linux af4a2209b1344939eaac11f269c261d347cbc3ee
Linux Linux af4a2209b1344939eaac11f269c261d347cbc3ee
Linux Linux 4.12

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels\n\nseg6_input_core() and rpl_input() call ip6_route_input() which sets a\nNOREF dst on the skb, then pass it to dst_cache_set_ip6() invoking\ndst_hold() unconditionally.\nOn PREEMPT_RT, ksoftirqd is preemptible and a higher-priority task can\nrelease the underlying pcpu_rt between the lookup and the caching\nthrough a concurrent FIB lookup on a shared nexthop.\nSimplified race sequence:\n\n  ksoftirqd/X                       higher-prio task (same CPU X)\n  -----------                       --------------------------------\n  seg6_input_core(,skb)/rpl_input(skb)\n    dst_cache_get()\n      -> miss\n    ip6_route_input(skb)\n      -> ip6_pol_route(,skb,flags)\n         [RT6_LOOKUP_F_DST_NOREF in flags]\n        -> FIB lookup resolves fib6_nh\n           [nhid=N route]\n        -> rt6_make_pcpu_route()\n           [creates pcpu_rt, refcount=1]\n             pcpu_rt->sernum = fib6_sernum\n             [fib6_sernum=W]\n           -> cmpxchg(fib6_nh.rt6i_pcpu,\n                      NULL, pcpu_rt)\n              [slot was empty, store succeeds]\n      -> skb_dst_set_noref(skb, dst)\n         [dst is pcpu_rt, refcount still 1]\n\n                                    rt_genid_bump_ipv6()\n                                      -> bumps fib6_sernum\n                                         [fib6_sernum from W to Z]\n                                    ip6_route_output()\n                                      -> ip6_pol_route()\n                                        -> FIB lookup resolves fib6_nh\n                                           [nhid=N]\n                                        -> rt6_get_pcpu_route()\n                                             pcpu_rt->sernum != fib6_sernum\n                                             [W <> Z, stale]\n                                          -> prev = xchg(rt6i_pcpu, NULL)\n                                          -> dst_release(prev)\n                                             [prev is pcpu_rt,\n                                              refcount 1->0, dead]\n\n    dst = skb_dst(skb)\n    [dst is the dead pcpu_rt]\n    dst_cache_set_ip6(dst)\n      -> dst_hold() on dead dst\n      -> WARN / use-after-free\n\nFor the race to occur, ksoftirqd must be preemptible (PREEMPT_RT without\nPREEMPT_RT_NEEDS_BH_LOCK) and a concurrent task must be able to release\nthe pcpu_rt. Shared nexthop objects provide such a path, as two routes\npointing to the same nhid share the same fib6_nh and its rt6i_pcpu\nentry.\n\nFix seg6_input_core() and rpl_input() by calling skb_dst_force() after\nip6_route_input() to force the NOREF dst into a refcounted one before\ncaching.\nThe output path is not affected as ip6_route_output() already returns a\nrefcounted dst.",
    "published": "2026-05-27T12:59:04.628Z",
    "modified": "2026-05-30T10:47:28.877Z",
    "type": "cve",
    "title": "net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/6bd17925bd6866027a6555db17905b9fc073d38d\nhttps://git.kernel.org/stable/c/52f9db67f8f35f436366cf4980b4f0a2583d0ef0\nhttps://git.kernel.org/stable/c/b778b6d095421619c331fd2d7751143cd5387103\nhttps://git.kernel.org/stable/c/9dd5481f960e337b81d7dfe429529495c1c481c0\nhttps://git.kernel.org/stable/c/f9c52a6ba9780bd27e0bf4c044fd91c13c778b6e",
    "id": "CVE-2026-46099",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux af4a2209b1344939eaac11f269c261d347cbc3ee\nLinux Linux af4a2209b1344939eaac11f269c261d347cbc3ee\nLinux Linux af4a2209b1344939eaac11f269c261d347cbc3ee\nLinux Linux af4a2209b1344939eaac11f269c261d347cbc3ee\nLinux Linux af4a2209b1344939eaac11f269c261d347cbc3ee\nLinux Linux 4.12",
    "sourceHref": "",
    "cvss": {
        "score": 8.1,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "af4a2209b1344939eaac11f269c261d347cbc3ee",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels_CVE-2026-46099

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply