CVE-2026-46099
Gravedad CVSS v3.1:
ALTA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
27/05/2026
Última modificación:
30/06/2026
Descripción
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels<br />
<br />
seg6_input_core() and rpl_input() call ip6_route_input() which sets a<br />
NOREF dst on the skb, then pass it to dst_cache_set_ip6() invoking<br />
dst_hold() unconditionally.<br />
On PREEMPT_RT, ksoftirqd is preemptible and a higher-priority task can<br />
release the underlying pcpu_rt between the lookup and the caching<br />
through a concurrent FIB lookup on a shared nexthop.<br />
Simplified race sequence:<br />
<br />
ksoftirqd/X higher-prio task (same CPU X)<br />
----------- --------------------------------<br />
seg6_input_core(,skb)/rpl_input(skb)<br />
dst_cache_get()<br />
-> miss<br />
ip6_route_input(skb)<br />
-> ip6_pol_route(,skb,flags)<br />
[RT6_LOOKUP_F_DST_NOREF in flags]<br />
-> FIB lookup resolves fib6_nh<br />
[nhid=N route]<br />
-> rt6_make_pcpu_route()<br />
[creates pcpu_rt, refcount=1]<br />
pcpu_rt->sernum = fib6_sernum<br />
[fib6_sernum=W]<br />
-> cmpxchg(fib6_nh.rt6i_pcpu,<br />
NULL, pcpu_rt)<br />
[slot was empty, store succeeds]<br />
-> skb_dst_set_noref(skb, dst)<br />
[dst is pcpu_rt, refcount still 1]<br />
<br />
rt_genid_bump_ipv6()<br />
-> bumps fib6_sernum<br />
[fib6_sernum from W to Z]<br />
ip6_route_output()<br />
-> ip6_pol_route()<br />
-> FIB lookup resolves fib6_nh<br />
[nhid=N]<br />
-> rt6_get_pcpu_route()<br />
pcpu_rt->sernum != fib6_sernum<br />
[W Z, stale]<br />
-> prev = xchg(rt6i_pcpu, NULL)<br />
-> dst_release(prev)<br />
[prev is pcpu_rt,<br />
refcount 1->0, dead]<br />
<br />
dst = skb_dst(skb)<br />
[dst is the dead pcpu_rt]<br />
dst_cache_set_ip6(dst)<br />
-> dst_hold() on dead dst<br />
-> WARN / use-after-free<br />
<br />
For the race to occur, ksoftirqd must be preemptible (PREEMPT_RT without<br />
PREEMPT_RT_NEEDS_BH_LOCK) and a concurrent task must be able to release<br />
the pcpu_rt. Shared nexthop objects provide such a path, as two routes<br />
pointing to the same nhid share the same fib6_nh and its rt6i_pcpu<br />
entry.<br />
<br />
Fix seg6_input_core() and rpl_input() by calling skb_dst_force() after<br />
ip6_route_input() to force the NOREF dst into a refcounted one before<br />
caching.<br />
The output path is not affected as ip6_route_output() already returns a<br />
refcounted dst.
Impacto
Puntuación base 3.x
8.10
Gravedad 3.x
ALTA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.12 (incluyendo) | 5.15.209 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (incluyendo) | 6.1.175 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (incluyendo) | 6.6.140 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (incluyendo) | 6.12.86 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (incluyendo) | 6.18.27 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.19 (incluyendo) | 7.0.4 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:* |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página
Referencias a soluciones, herramientas e información
- https://git.kernel.org/stable/c/51fef5a7c4d160839199e941929456ba21ddf73c
- https://git.kernel.org/stable/c/52f9db67f8f35f436366cf4980b4f0a2583d0ef0
- https://git.kernel.org/stable/c/6bd17925bd6866027a6555db17905b9fc073d38d
- https://git.kernel.org/stable/c/9dd5481f960e337b81d7dfe429529495c1c481c0
- https://git.kernel.org/stable/c/b258b849a580285a1692e782ebc902b44c884a71
- https://git.kernel.org/stable/c/b778b6d095421619c331fd2d7751143cd5387103
- https://git.kernel.org/stable/c/f9c52a6ba9780bd27e0bf4c044fd91c13c778b6e
- https://access.redhat.com/security/cve/CVE-2026-46099
- https://bugzilla.redhat.com/show_bug.cgi?id=2481972
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46099.json



