{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-46260", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-05-13T15:03:33.108Z", "datePublished": "2026-06-03T15:49:57.561Z", "dateUpdated": "2026-06-03T15:49:57.561Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-06-03T15:49:57.561Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Fix out-of-bound access in fib6_add_rt2node().\n\nsyzbot reported out-of-bound read in fib6_add_rt2node(). [0]\n\nWhen IPv6 route is created with RTA_NH_ID, struct fib6_info\ndoes not have the trailing struct fib6_nh.\n\nThe cited commit started to check !iter->fib6_nh->fib_nh_gw_family\nto ensure that rt6_qualify_for_ecmp() will return false for iter.\n\nIf iter->nh is not NULL, rt6_qualify_for_ecmp() returns false anyway.\n\nLet's check iter->nh before reading iter->fib6_nh and avoid OOB read.\n\n[0]:\nBUG: KASAN: slab-out-of-bounds in fib6_add_rt2node+0x349c/0x3500 net/ipv6/ip6_fib.c:1142\nRead of size 1 at addr ffff8880384ba6de by task syz.0.18/5500\n\nCPU: 0 UID: 0 PID: 5500 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nCall Trace:\n <TASK>\n dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xba/0x230 mm/kasan/report.c:482\n kasan_report+0x117/0x150 mm/kasan/report.c:595\n fib6_add_rt2node+0x349c/0x3500 net/ipv6/ip6_fib.c:1142\n fib6_add_rt2node_nh net/ipv6/ip6_fib.c:1363 [inline]\n fib6_add+0x910/0x18c0 net/ipv6/ip6_fib.c:1531\n __ip6_ins_rt net/ipv6/route.c:1351 [inline]\n ip6_route_add+0xde/0x1b0 net/ipv6/route.c:3957\n inet6_rtm_newroute+0x268/0x19e0 net/ipv6/route.c:5660\n rtnetlink_rcv_msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958\n netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550\n netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]\n netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344\n netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg net/socket.c:742 [inline]\n ____sys_sendmsg+0xa68/0xad0 net/socket.c:2592\n ___sys_sendmsg+0x2a5/0x360 net/socket.c:2646\n __sys_sendmsg net/socket.c:2678 [inline]\n __do_sys_sendmsg net/socket.c:2683 [inline]\n __se_sys_sendmsg net/socket.c:2681 [inline]\n __x64_sys_sendmsg+0x1bd/0x2a0 net/socket.c:2681\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f9316b9aeb9\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffd8809b678 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007f9316e15fa0 RCX: 00007f9316b9aeb9\nRDX: 0000000000000000 RSI: 0000200000004380 RDI: 0000000000000003\nRBP: 00007f9316c08c1f R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007f9316e15fac R14: 00007f9316e15fa0 R15: 00007f9316e15fa0\n </TASK>\n\nAllocated by task 5499:\n kasan_save_stack mm/kasan/common.c:57 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:78\n poison_kmalloc_redzone mm/kasan/common.c:398 [inline]\n __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415\n kasan_kmalloc include/linux/kasan.h:263 [inline]\n __do_kmalloc_node mm/slub.c:5657 [inline]\n __kmalloc_noprof+0x40c/0x7e0 mm/slub.c:5669\n kmalloc_noprof include/linux/slab.h:961 [inline]\n kzalloc_noprof include/linux/slab.h:1094 [inline]\n fib6_info_alloc+0x30/0xf0 net/ipv6/ip6_fib.c:155\n ip6_route_info_create+0x142/0x860 net/ipv6/route.c:3820\n ip6_route_add+0x49/0x1b0 net/ipv6/route.c:3949\n inet6_rtm_newroute+0x268/0x19e0 net/ipv6/route.c:5660\n rtnetlink_rcv_msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958\n netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550\n netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]\n netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344\n netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg net/socket.c:742 [inline]\n ____sys_sendmsg+0xa68/0xad0 net/socket.c:2592\n ___sys_s\n---truncated---"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ipv6/ip6_fib.c"], "versions": [{"version": "50b7c7a255858a85c4636a1e990ca04591153dca", "lessThan": "bcc60ad129ae1837cf809c81bff56ec8bfdb6b11", "status": "affected", "versionType": "git"}, {"version": "d8143c54ceeba232dc8a13aa0afa14a44b371d93", "lessThan": "bf5009a06e03ee9a51052bb59f2228a5e4e66260", "status": "affected", "versionType": "git"}, {"version": "b8ad2d53f706aeea833d23d45c0758398fede580", "lessThan": "03b5051e02f5a3772eee57493ad697d4b505b0c2", "status": "affected", "versionType": "git"}, {"version": "bbf4a17ad9ffc4e3d7ec13d73ecd59dea149ed25", "lessThan": "500e54615c97bc3c427e52305a6fcd38a0e008a3", "status": "affected", "versionType": "git"}, {"version": "bbf4a17ad9ffc4e3d7ec13d73ecd59dea149ed25", "lessThan": "8244f959e2c125c849e569f5b23ed49804cce695", "status": "affected", "versionType": "git"}, {"version": "6.6.124", "lessThan": "6.6.128", "status": "affected", "versionType": "semver"}, {"version": "6.12.70", "lessThan": "6.12.75", "status": "affected", "versionType": "semver"}, {"version": "6.18.10", "lessThan": "6.18.14", "status": "affected", "versionType": "semver"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ipv6/ip6_fib.c"], "versions": [{"version": "6.19", "status": "affected"}, {"version": "0", "lessThan": "6.19", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.128", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.75", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.14", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.4", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.124", "versionEndExcluding": "6.6.128"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12.70", "versionEndExcluding": "6.12.75"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18.10", "versionEndExcluding": "6.18.14"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/bcc60ad129ae1837cf809c81bff56ec8bfdb6b11"}, {"url": "https://git.kernel.org/stable/c/bf5009a06e03ee9a51052bb59f2228a5e4e66260"}, {"url": "https://git.kernel.org/stable/c/03b5051e02f5a3772eee57493ad697d4b505b0c2"}, {"url": "https://git.kernel.org/stable/c/500e54615c97bc3c427e52305a6fcd38a0e008a3"}, {"url": "https://git.kernel.org/stable/c/8244f959e2c125c849e569f5b23ed49804cce695"}], "title": "ipv6: Fix out-of-bound access in fib6_add_rt2node().", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Fix out-of-bound access in fib6_add_rt2node().\n\nsyzbot reported out-of-bound read in fib6_add_rt2node(). [0]\n\nWhen IPv6 route is created with RTA_NH_ID, struct fib6_info\ndoes not have the trailing struct fib6_nh.\n\nThe cited commit started to check !iter->fib6_nh->fib_nh_gw_family\nto ensure that rt6_qualify_for_ecmp() will return false for iter.\n\nIf iter->nh is not NULL, rt6_qualify_for_ecmp() returns false anyway.\n\nLet's check iter->nh before reading iter->fib6_nh and avoid OOB read.\n\n[0]:\nBUG: KASAN: slab-out-of-bounds in fib6_add_rt2node+0x349c/0x3500 net/ipv6/ip6_fib.c:1142\nRead of size 1 at addr ffff8880384ba6de by task syz.0.18/5500\n\nCPU: 0 UID: 0 PID: 5500 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nCall Trace:\n <TASK>\n dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xba/0x230 mm/kasan/report.c:482\n kasan_report+0x117/0x150 mm/kasan/report.c:595\n fib6_add_rt2node+0x349c/0x3500 net/ipv6/ip6_fib.c:1142\n fib6_add_rt2node_nh net/ipv6/ip6_fib.c:1363 [inline]\n fib6_add+0x910/0x18c0 net/ipv6/ip6_fib.c:1531\n __ip6_ins_rt net/ipv6/route.c:1351 [inline]\n ip6_route_add+0xde/0x1b0 net/ipv6/route.c:3957\n inet6_rtm_newroute+0x268/0x19e0 net/ipv6/route.c:5660\n rtnetlink_rcv_msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958\n netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550\n netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]\n netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344\n netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg net/socket.c:742 [inline]\n ____sys_sendmsg+0xa68/0xad0 net/socket.c:2592\n ___sys_sendmsg+0x2a5/0x360 net/socket.c:2646\n __sys_sendmsg net/socket.c:2678 [inline]\n __do_sys_sendmsg net/socket.c:2683 [inline]\n __se_sys_sendmsg net/socket.c:2681 [inline]\n __x64_sys_sendmsg+0x1bd/0x2a0 net/socket.c:2681\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f9316b9aeb9\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffd8809b678 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007f9316e15fa0 RCX: 00007f9316b9aeb9\nRDX: 0000000000000000 RSI: 0000200000004380 RDI: 0000000000000003\nRBP: 00007f9316c08c1f R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007f9316e15fac R14: 00007f9316e15fa0 R15: 00007f9316e15fa0\n </TASK>\n\nAllocated by task 5499:\n kasan_save_stack mm/kasan/common.c:57 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:78\n poison_kmalloc_redzone mm/kasan/common.c:398 [inline]\n __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415\n kasan_kmalloc include/linux/kasan.h:263 [inline]\n __do_kmalloc_node mm/slub.c:5657 [inline]\n __kmalloc_noprof+0x40c/0x7e0 mm/slub.c:5669\n kmalloc_noprof include/linux/slab.h:961 [inline]\n kzalloc_noprof include/linux/slab.h:1094 [inline]\n fib6_info_alloc+0x30/0xf0 net/ipv6/ip6_fib.c:155\n ip6_route_info_create+0x142/0x860 net/ipv6/route.c:3820\n ip6_route_add+0x49/0x1b0 net/ipv6/route.c:3949\n inet6_rtm_newroute+0x268/0x19e0 net/ipv6/route.c:5660\n rtnetlink_rcv_msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958\n netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550\n netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]\n netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344\n netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg net/socket.c:742 [inline]\n ____sys_sendmsg+0xa68/0xad0 net/socket.c:2592\n ___sys_s\n---truncated---"}], "id": "CVE-2026-46260", "lastModified": "2026-06-03T18:16:27.147", "metrics": {}, "published": "2026-06-03T18:16:27.147", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/03b5051e02f5a3772eee57493ad697d4b505b0c2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/500e54615c97bc3c427e52305a6fcd38a0e008a3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8244f959e2c125c849e569f5b23ed49804cce695"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/bcc60ad129ae1837cf809c81bff56ec8bfdb6b11"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/bf5009a06e03ee9a51052bb59f2228a5e4e66260"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{}