CVE-2026-46099

Summary

In the Linux kernel, the following vulnerability has been resolved:

net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels

seg6_input_core() and rpl_input() call ip6_route_input() which sets a NOREF dst on the skb, then pass it to dst_cache_set_ip6() invoking dst_hold() unconditionally. On PREEMPT_RT, ksoftirqd is preemptible and a higher-priority task can release the underlying pcpu_rt between the lookup and the caching through a concurrent FIB lookup on a shared nexthop. Simplified race sequence:

ksoftirqd/X higher-prio task (same CPU X)


seg6_input_core(,skb)/rpl_input(skb) dst_cache_get() -> miss ip6_route_input(skb) -> ip6_pol_route(,skb,flags) [RT6_LOOKUP_F_DST_NOREF in flags] -> FIB lookup resolves fib6_nh [nhid=N route] -> rt6_make_pcpu_route() [creates pcpu_rt, refcount=1] pcpu_rt->sernum = fib6_sernum [fib6_sernum=W] -> cmpxchg(fib6_nh.rt6i_pcpu, NULL, pcpu_rt) [slot was empty, store succeeds] -> skb_dst_set_noref(skb, dst) [dst is pcpu_rt, refcount still 1]

                                rt_genid_bump_ipv6()
                                  -> bumps fib6_sernum
                                     [fib6_sernum from W to Z]
                                ip6_route_output()
                                  -> ip6_pol_route()
                                    -> FIB lookup resolves fib6_nh
                                       [nhid=N]
                                    -> rt6_get_pcpu_route()
                                         pcpu_rt->sernum != fib6_sernum
                                         [W <> Z, stale]
                                      -> prev = xchg(rt6i_pcpu, NULL)
                                      -> dst_release(prev)
                                         [prev is pcpu_rt,
                                          refcount 1->0, dead]

dst = skb_dst(skb)
[dst is the dead pcpu_rt]
dst_cache_set_ip6(dst)
  -> dst_hold() on dead dst
  -> WARN / use-after-free

For the race to occur, ksoftirqd must be preemptible (PREEMPT_RT without PREEMPT_RT_NEEDS_BH_LOCK) and a concurrent task must be able to release the pcpu_rt. Shared nexthop objects provide such a path, as two routes pointing to the same nhid share the same fib6_nh and its rt6i_pcpu entry.

Fix seg6_input_core() and rpl_input() by calling skb_dst_force() after ip6_route_input() to force the NOREF dst into a refcounted one before caching. The output path is not affected as ip6_route_output() already returns a refcounted dst.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxaf4a2209b1344939eaac11f269c261d347cbc3ee < 51fef5a7c4d160839199e941929456ba21ddf73caffected
LinuxLinuxaf4a2209b1344939eaac11f269c261d347cbc3ee < b258b849a580285a1692e782ebc902b44c884a71affected
LinuxLinuxaf4a2209b1344939eaac11f269c261d347cbc3ee < 6bd17925bd6866027a6555db17905b9fc073d38daffected
LinuxLinuxaf4a2209b1344939eaac11f269c261d347cbc3ee < 52f9db67f8f35f436366cf4980b4f0a2583d0ef0affected
LinuxLinuxaf4a2209b1344939eaac11f269c261d347cbc3ee < b778b6d095421619c331fd2d7751143cd5387103affected
LinuxLinuxaf4a2209b1344939eaac11f269c261d347cbc3ee < 9dd5481f960e337b81d7dfe429529495c1c481c0affected
LinuxLinuxaf4a2209b1344939eaac11f269c261d347cbc3ee < f9c52a6ba9780bd27e0bf4c044fd91c13c778b6eaffected
LinuxLinux4.12affected
LinuxLinux0 < 4.12unaffected
LinuxLinux5.15.209 <= 5.15.*unaffected
LinuxLinux6.1.175 <= 6.1.*unaffected
LinuxLinux6.6.140 <= 6.6.*unaffected
LinuxLinux6.12.86 <= 6.12.*unaffected
LinuxLinux6.18.27 <= 6.18.*unaffected
LinuxLinux7.0.4 <= 7.0.*unaffected
LinuxLinux7.1 <= *unaffected

Weaknesses

ADP Enrichment

kernel: net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels

Additional References

References