CVE-2026-53221

Summary

In the Linux kernel, the following vulnerability has been resolved:

ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup()

In vti6_tnl_lookup(), when an exact match for a tunnel fails, the code falls back to searching for wildcard tunnels:

  • Tunnels matching the packet's local address, with any remote address wildcard remote).

  • Tunnels matching the packet's remote address, with any local address (wildcard local).

However, vti6 stores all these different types of tunnels in the same hash table (ip6n->tnls_r_l) prone to hash collisions.

The bug is that the fallback search loops in vti6_tnl_lookup() were missing checks to ensure that the candidate tunnel actually has a wildcard address.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxfbe68ee87522f6eaa10f9076c0a7117e1613f2f7 < c327fa4fca31415431202e063767a7ae342e19c6affected
LinuxLinuxfbe68ee87522f6eaa10f9076c0a7117e1613f2f7 < fc657ac0767c49839b3ef0b08dc0953ca30883f8affected
LinuxLinuxfbe68ee87522f6eaa10f9076c0a7117e1613f2f7 < 47fb3c2b4203556308e64354b3e78f2ce221d646affected
LinuxLinuxfbe68ee87522f6eaa10f9076c0a7117e1613f2f7 < f513f308cc4bdb4530d033431592ffbc29b7fca1affected
LinuxLinuxfbe68ee87522f6eaa10f9076c0a7117e1613f2f7 < 90fd4513315ca07da99cfd8549d3e553a7160f0daffected
LinuxLinuxfbe68ee87522f6eaa10f9076c0a7117e1613f2f7 < 2abfb19bbb81958714ad1d43ebeb65b30394184baffected
LinuxLinuxfbe68ee87522f6eaa10f9076c0a7117e1613f2f7 < 2fc7bc087cc7085368263d9d37bfe9a0bddd6a2daffected
LinuxLinuxfbe68ee87522f6eaa10f9076c0a7117e1613f2f7 < a5c0359f5cbc51a2e2b114d6041e0f3c73f903e9affected
LinuxLinux3.19affected
LinuxLinux0 < 3.19unaffected
LinuxLinux5.10.259 <= 5.10.*unaffected
LinuxLinux5.15.210 <= 5.15.*unaffected
LinuxLinux6.1.176 <= 6.1.*unaffected
LinuxLinux6.6.143 <= 6.6.*unaffected
LinuxLinux6.12.94 <= 6.12.*unaffected
LinuxLinux6.18.36 <= 6.18.*unaffected
LinuxLinux7.0.13 <= 7.0.*unaffected
LinuxLinux7.1 <= *unaffected

Weaknesses

References