CVE 9.8 CRITICAL

ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup()_CVE-2026-53221

June 28, 2026 invoker category_cve

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup()

In vti6_tnl_lookup(), when an exact match for a tunnel fails,
the code falls back to searching for wildcard tunnels:

- Tunnels matching the packet's local address, with any remote address
wildcard remote).

- Tunnels matching the packet's remote address, with any local address
(wildcard local).

However, vti6 stores all these different types of tunnels in the same
hash table (ip6n->tnls_r_l) prone to hash collisions.

The bug is that the fallback search loops in vti6_tnl_lookup() were
missing checks to ensure that the candidate tunnel actually has
a wildcard address.

AI Analysis

The Linux kernel has a vulnerability in the ip6_vti module, where the vti6_tnl_lookup() function is prone to hash collisions, allowing an attacker to potentially bypass security checks and gain unauthorized access to the system.

Basic Information

ID CVE-2026-53221

Source Linux

Published Jun 25, 2026 at 08:39

Modified Jun 28, 2026 at 06:40

Affected Product

Vendor Linux

Product Linux

Version fbe68ee87522f6eaa10f9076c0a7117e1613f2f7

Affected Versions Linux Linux fbe68ee87522f6eaa10f9076c0a7117e1613f2f7
Linux Linux fbe68ee87522f6eaa10f9076c0a7117e1613f2f7
Linux Linux fbe68ee87522f6eaa10f9076c0a7117e1613f2f7
Linux Linux fbe68ee87522f6eaa10f9076c0a7117e1613f2f7
Linux Linux fbe68ee87522f6eaa10f9076c0a7117e1613f2f7
Linux Linux fbe68ee87522f6eaa10f9076c0a7117e1613f2f7
Linux Linux fbe68ee87522f6eaa10f9076c0a7117e1613f2f7
Linux Linux fbe68ee87522f6eaa10f9076c0a7117e1613f2f7
Linux Linux 3.19

AI Assessment

AI Score 9.8 / 10

AI Severity Critical

Vendor Linux

Product Linux Kernel

Version fbe68ee87522f6eaa10f9076c0a7117e1613f2f7

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup()\n\nIn vti6_tnl_lookup(), when an exact match for a tunnel fails,\nthe code falls back to searching for wildcard tunnels:\n\n- Tunnels matching the packet's local address, with any remote address\n  wildcard remote).\n\n- Tunnels matching the packet's remote address, with any local address\n  (wildcard local).\n\nHowever, vti6 stores all these different types of tunnels in the same\nhash table (ip6n->tnls_r_l) prone to hash collisions.\n\nThe bug is that the fallback search loops in vti6_tnl_lookup() were\nmissing checks to ensure that the candidate tunnel actually has\na wildcard address.",
    "published": "2026-06-25T08:39:23.177Z",
    "modified": "2026-06-28T06:40:33.070Z",
    "type": "cve",
    "title": "ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup()",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/c327fa4fca31415431202e063767a7ae342e19c6\nhttps://git.kernel.org/stable/c/fc657ac0767c49839b3ef0b08dc0953ca30883f8\nhttps://git.kernel.org/stable/c/47fb3c2b4203556308e64354b3e78f2ce221d646\nhttps://git.kernel.org/stable/c/f513f308cc4bdb4530d033431592ffbc29b7fca1\nhttps://git.kernel.org/stable/c/90fd4513315ca07da99cfd8549d3e553a7160f0d\nhttps://git.kernel.org/stable/c/2abfb19bbb81958714ad1d43ebeb65b30394184b\nhttps://git.kernel.org/stable/c/2fc7bc087cc7085368263d9d37bfe9a0bddd6a2d\nhttps://git.kernel.org/stable/c/a5c0359f5cbc51a2e2b114d6041e0f3c73f903e9",
    "id": "CVE-2026-53221",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux fbe68ee87522f6eaa10f9076c0a7117e1613f2f7\nLinux Linux fbe68ee87522f6eaa10f9076c0a7117e1613f2f7\nLinux Linux fbe68ee87522f6eaa10f9076c0a7117e1613f2f7\nLinux Linux fbe68ee87522f6eaa10f9076c0a7117e1613f2f7\nLinux Linux fbe68ee87522f6eaa10f9076c0a7117e1613f2f7\nLinux Linux fbe68ee87522f6eaa10f9076c0a7117e1613f2f7\nLinux Linux fbe68ee87522f6eaa10f9076c0a7117e1613f2f7\nLinux Linux fbe68ee87522f6eaa10f9076c0a7117e1613f2f7\nLinux Linux 3.19",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "fbe68ee87522f6eaa10f9076c0a7117e1613f2f7",
    "vendor": "Linux",
    "ai_description": "The Linux kernel has a vulnerability in the ip6_vti module, where the vti6_tnl_lookup() function is prone to hash collisions, allowing an attacker to potentially bypass security checks and gain unauthorized access to the system.",
    "ai_severity": "Critical",
    "ai_vendor": "Linux",
    "ai_product": "Linux Kernel",
    "ai_version": "fbe68ee87522f6eaa10f9076c0a7117e1613f2f7",
    "ai_score": 9.8
}

💭 Join the Security Discussion ❌ Cancel Reply