Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

CVE-2026-46099

Gravedad CVSS v3.1:
ALTA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
27/05/2026
Última modificación:
30/06/2026

Descripción

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels<br /> <br /> seg6_input_core() and rpl_input() call ip6_route_input() which sets a<br /> NOREF dst on the skb, then pass it to dst_cache_set_ip6() invoking<br /> dst_hold() unconditionally.<br /> On PREEMPT_RT, ksoftirqd is preemptible and a higher-priority task can<br /> release the underlying pcpu_rt between the lookup and the caching<br /> through a concurrent FIB lookup on a shared nexthop.<br /> Simplified race sequence:<br /> <br /> ksoftirqd/X higher-prio task (same CPU X)<br /> ----------- --------------------------------<br /> seg6_input_core(,skb)/rpl_input(skb)<br /> dst_cache_get()<br /> -&gt; miss<br /> ip6_route_input(skb)<br /> -&gt; ip6_pol_route(,skb,flags)<br /> [RT6_LOOKUP_F_DST_NOREF in flags]<br /> -&gt; FIB lookup resolves fib6_nh<br /> [nhid=N route]<br /> -&gt; rt6_make_pcpu_route()<br /> [creates pcpu_rt, refcount=1]<br /> pcpu_rt-&gt;sernum = fib6_sernum<br /> [fib6_sernum=W]<br /> -&gt; cmpxchg(fib6_nh.rt6i_pcpu,<br /> NULL, pcpu_rt)<br /> [slot was empty, store succeeds]<br /> -&gt; skb_dst_set_noref(skb, dst)<br /> [dst is pcpu_rt, refcount still 1]<br /> <br /> rt_genid_bump_ipv6()<br /> -&gt; bumps fib6_sernum<br /> [fib6_sernum from W to Z]<br /> ip6_route_output()<br /> -&gt; ip6_pol_route()<br /> -&gt; FIB lookup resolves fib6_nh<br /> [nhid=N]<br /> -&gt; rt6_get_pcpu_route()<br /> pcpu_rt-&gt;sernum != fib6_sernum<br /> [W Z, stale]<br /> -&gt; prev = xchg(rt6i_pcpu, NULL)<br /> -&gt; dst_release(prev)<br /> [prev is pcpu_rt,<br /> refcount 1-&gt;0, dead]<br /> <br /> dst = skb_dst(skb)<br /> [dst is the dead pcpu_rt]<br /> dst_cache_set_ip6(dst)<br /> -&gt; dst_hold() on dead dst<br /> -&gt; WARN / use-after-free<br /> <br /> For the race to occur, ksoftirqd must be preemptible (PREEMPT_RT without<br /> PREEMPT_RT_NEEDS_BH_LOCK) and a concurrent task must be able to release<br /> the pcpu_rt. Shared nexthop objects provide such a path, as two routes<br /> pointing to the same nhid share the same fib6_nh and its rt6i_pcpu<br /> entry.<br /> <br /> Fix seg6_input_core() and rpl_input() by calling skb_dst_force() after<br /> ip6_route_input() to force the NOREF dst into a refcounted one before<br /> caching.<br /> The output path is not affected as ip6_route_output() already returns a<br /> refcounted dst.

Productos y versiones vulnerables

CPE Desde Hasta
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.12 (incluyendo) 5.15.209 (excluyendo)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (incluyendo) 6.1.175 (excluyendo)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (incluyendo) 6.6.140 (excluyendo)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (incluyendo) 6.12.86 (excluyendo)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (incluyendo) 6.18.27 (excluyendo)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.19 (incluyendo) 7.0.4 (excluyendo)
cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*