{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-46099", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-05-13T15:03:33.097Z", "datePublished": "2026-05-27T12:59:04.628Z", "dateUpdated": "2026-05-27T12:59:04.628Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-27T12:59:04.628Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels\n\nseg6_input_core() and rpl_input() call ip6_route_input() which sets a\nNOREF dst on the skb, then pass it to dst_cache_set_ip6() invoking\ndst_hold() unconditionally.\nOn PREEMPT_RT, ksoftirqd is preemptible and a higher-priority task can\nrelease the underlying pcpu_rt between the lookup and the caching\nthrough a concurrent FIB lookup on a shared nexthop.\nSimplified race sequence:\n\n ksoftirqd/X higher-prio task (same CPU X)\n ----------- --------------------------------\n seg6_input_core(,skb)/rpl_input(skb)\n dst_cache_get()\n -> miss\n ip6_route_input(skb)\n -> ip6_pol_route(,skb,flags)\n [RT6_LOOKUP_F_DST_NOREF in flags]\n -> FIB lookup resolves fib6_nh\n [nhid=N route]\n -> rt6_make_pcpu_route()\n [creates pcpu_rt, refcount=1]\n pcpu_rt->sernum = fib6_sernum\n [fib6_sernum=W]\n -> cmpxchg(fib6_nh.rt6i_pcpu,\n NULL, pcpu_rt)\n [slot was empty, store succeeds]\n -> skb_dst_set_noref(skb, dst)\n [dst is pcpu_rt, refcount still 1]\n\n rt_genid_bump_ipv6()\n -> bumps fib6_sernum\n [fib6_sernum from W to Z]\n ip6_route_output()\n -> ip6_pol_route()\n -> FIB lookup resolves fib6_nh\n [nhid=N]\n -> rt6_get_pcpu_route()\n pcpu_rt->sernum != fib6_sernum\n [W <> Z, stale]\n -> prev = xchg(rt6i_pcpu, NULL)\n -> dst_release(prev)\n [prev is pcpu_rt,\n refcount 1->0, dead]\n\n dst = skb_dst(skb)\n [dst is the dead pcpu_rt]\n dst_cache_set_ip6(dst)\n -> dst_hold() on dead dst\n -> WARN / use-after-free\n\nFor the race to occur, ksoftirqd must be preemptible (PREEMPT_RT without\nPREEMPT_RT_NEEDS_BH_LOCK) and a concurrent task must be able to release\nthe pcpu_rt. Shared nexthop objects provide such a path, as two routes\npointing to the same nhid share the same fib6_nh and its rt6i_pcpu\nentry.\n\nFix seg6_input_core() and rpl_input() by calling skb_dst_force() after\nip6_route_input() to force the NOREF dst into a refcounted one before\ncaching.\nThe output path is not affected as ip6_route_output() already returns a\nrefcounted dst."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ipv6/rpl_iptunnel.c", "net/ipv6/seg6_iptunnel.c"], "versions": [{"version": "af4a2209b1344939eaac11f269c261d347cbc3ee", "lessThan": "6bd17925bd6866027a6555db17905b9fc073d38d", "status": "affected", "versionType": "git"}, {"version": "af4a2209b1344939eaac11f269c261d347cbc3ee", "lessThan": "52f9db67f8f35f436366cf4980b4f0a2583d0ef0", "status": "affected", "versionType": "git"}, {"version": "af4a2209b1344939eaac11f269c261d347cbc3ee", "lessThan": "b778b6d095421619c331fd2d7751143cd5387103", "status": "affected", "versionType": "git"}, {"version": "af4a2209b1344939eaac11f269c261d347cbc3ee", "lessThan": "9dd5481f960e337b81d7dfe429529495c1c481c0", "status": "affected", "versionType": "git"}, {"version": "af4a2209b1344939eaac11f269c261d347cbc3ee", "lessThan": "f9c52a6ba9780bd27e0bf4c044fd91c13c778b6e", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ipv6/rpl_iptunnel.c", "net/ipv6/seg6_iptunnel.c"], "versions": [{"version": "4.12", "status": "affected"}, {"version": "0", "lessThan": "4.12", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.140", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.86", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.27", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0.4", "lessThanOrEqual": "7.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.1-rc2", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.12", "versionEndExcluding": "6.6.140"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.12", "versionEndExcluding": "6.12.86"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.12", "versionEndExcluding": "6.18.27"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.12", "versionEndExcluding": "7.0.4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.12", "versionEndExcluding": "7.1-rc2"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/6bd17925bd6866027a6555db17905b9fc073d38d"}, {"url": "https://git.kernel.org/stable/c/52f9db67f8f35f436366cf4980b4f0a2583d0ef0"}, {"url": "https://git.kernel.org/stable/c/b778b6d095421619c331fd2d7751143cd5387103"}, {"url": "https://git.kernel.org/stable/c/9dd5481f960e337b81d7dfe429529495c1c481c0"}, {"url": "https://git.kernel.org/stable/c/f9c52a6ba9780bd27e0bf4c044fd91c13c778b6e"}], "title": "net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels\n\nseg6_input_core() and rpl_input() call ip6_route_input() which sets a\nNOREF dst on the skb, then pass it to dst_cache_set_ip6() invoking\ndst_hold() unconditionally.\nOn PREEMPT_RT, ksoftirqd is preemptible and a higher-priority task can\nrelease the underlying pcpu_rt between the lookup and the caching\nthrough a concurrent FIB lookup on a shared nexthop.\nSimplified race sequence:\n\n ksoftirqd/X higher-prio task (same CPU X)\n ----------- --------------------------------\n seg6_input_core(,skb)/rpl_input(skb)\n dst_cache_get()\n -> miss\n ip6_route_input(skb)\n -> ip6_pol_route(,skb,flags)\n [RT6_LOOKUP_F_DST_NOREF in flags]\n -> FIB lookup resolves fib6_nh\n [nhid=N route]\n -> rt6_make_pcpu_route()\n [creates pcpu_rt, refcount=1]\n pcpu_rt->sernum = fib6_sernum\n [fib6_sernum=W]\n -> cmpxchg(fib6_nh.rt6i_pcpu,\n NULL, pcpu_rt)\n [slot was empty, store succeeds]\n -> skb_dst_set_noref(skb, dst)\n [dst is pcpu_rt, refcount still 1]\n\n rt_genid_bump_ipv6()\n -> bumps fib6_sernum\n [fib6_sernum from W to Z]\n ip6_route_output()\n -> ip6_pol_route()\n -> FIB lookup resolves fib6_nh\n [nhid=N]\n -> rt6_get_pcpu_route()\n pcpu_rt->sernum != fib6_sernum\n [W <> Z, stale]\n -> prev = xchg(rt6i_pcpu, NULL)\n -> dst_release(prev)\n [prev is pcpu_rt,\n refcount 1->0, dead]\n\n dst = skb_dst(skb)\n [dst is the dead pcpu_rt]\n dst_cache_set_ip6(dst)\n -> dst_hold() on dead dst\n -> WARN / use-after-free\n\nFor the race to occur, ksoftirqd must be preemptible (PREEMPT_RT without\nPREEMPT_RT_NEEDS_BH_LOCK) and a concurrent task must be able to release\nthe pcpu_rt. Shared nexthop objects provide such a path, as two routes\npointing to the same nhid share the same fib6_nh and its rt6i_pcpu\nentry.\n\nFix seg6_input_core() and rpl_input() by calling skb_dst_force() after\nip6_route_input() to force the NOREF dst into a refcounted one before\ncaching.\nThe output path is not affected as ip6_route_output() already returns a\nrefcounted dst."}], "id": "CVE-2026-46099", "lastModified": "2026-05-27T14:48:03.013", "metrics": {}, "published": "2026-05-27T14:17:31.557", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/52f9db67f8f35f436366cf4980b4f0a2583d0ef0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6bd17925bd6866027a6555db17905b9fc073d38d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9dd5481f960e337b81d7dfe429529495c1c481c0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b778b6d095421619c331fd2d7751143cd5387103"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f9c52a6ba9780bd27e0bf4c044fd91c13c778b6e"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{}

{"created": "2026-05-27T18:00:15.755263+00:00", "updated": "2026-05-27T18:00:15.755274+00:00", "vendors": [], "weaknesses": ["CWE-665"]}