CVE-2026-53221
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved:
ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup()
In vti6_tnl_lookup(), when an exact match for a tunnel fails, the code falls back to searching for wildcard tunnels:
Tunnels matching the packet's local address, with any remote address wildcard remote).
Tunnels matching the packet's remote address, with any local address (wildcard local).
However, vti6 stores all these different types of tunnels in the same hash table (ip6n->tnls_r_l) prone to hash collisions.
The bug is that the fallback search loops in vti6_tnl_lookup() were missing checks to ensure that the candidate tunnel actually has a wildcard address.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | fbe68ee87522f6eaa10f9076c0a7117e1613f2f7 < c327fa4fca31415431202e063767a7ae342e19c6 | affected |
| Linux | Linux | fbe68ee87522f6eaa10f9076c0a7117e1613f2f7 < fc657ac0767c49839b3ef0b08dc0953ca30883f8 | affected |
| Linux | Linux | fbe68ee87522f6eaa10f9076c0a7117e1613f2f7 < 47fb3c2b4203556308e64354b3e78f2ce221d646 | affected |
| Linux | Linux | fbe68ee87522f6eaa10f9076c0a7117e1613f2f7 < f513f308cc4bdb4530d033431592ffbc29b7fca1 | affected |
| Linux | Linux | fbe68ee87522f6eaa10f9076c0a7117e1613f2f7 < 90fd4513315ca07da99cfd8549d3e553a7160f0d | affected |
| Linux | Linux | fbe68ee87522f6eaa10f9076c0a7117e1613f2f7 < 2abfb19bbb81958714ad1d43ebeb65b30394184b | affected |
| Linux | Linux | fbe68ee87522f6eaa10f9076c0a7117e1613f2f7 < 2fc7bc087cc7085368263d9d37bfe9a0bddd6a2d | affected |
| Linux | Linux | fbe68ee87522f6eaa10f9076c0a7117e1613f2f7 < a5c0359f5cbc51a2e2b114d6041e0f3c73f903e9 | affected |
| Linux | Linux | 3.19 | affected |
| Linux | Linux | 0 < 3.19 | unaffected |
| Linux | Linux | 5.10.259 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.210 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.176 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.143 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.94 <= 6.12.* | unaffected |
| Linux | Linux | 6.18.36 <= 6.18.* | unaffected |
| Linux | Linux | 7.0.13 <= 7.0.* | unaffected |
| Linux | Linux | 7.1 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/c327fa4fca31415431202e063767a7ae342e19c6
- https://git.kernel.org/stable/c/fc657ac0767c49839b3ef0b08dc0953ca30883f8
- https://git.kernel.org/stable/c/47fb3c2b4203556308e64354b3e78f2ce221d646
- https://git.kernel.org/stable/c/f513f308cc4bdb4530d033431592ffbc29b7fca1
- https://git.kernel.org/stable/c/90fd4513315ca07da99cfd8549d3e553a7160f0d
- https://git.kernel.org/stable/c/2abfb19bbb81958714ad1d43ebeb65b30394184b
- https://git.kernel.org/stable/c/2fc7bc087cc7085368263d9d37bfe9a0bddd6a2d
- https://git.kernel.org/stable/c/a5c0359f5cbc51a2e2b114d6041e0f3c73f903e9
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.