{"id":"CVE-2026-45905","summary":"xfrm: fix ip_rt_bug race in icmp_route_lookup reverse path","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: fix ip_rt_bug race in icmp_route_lookup reverse path\n\nicmp_route_lookup() performs multiple route lookups to find a suitable\nroute for sending ICMP error messages, with special handling for XFRM\n(IPsec) policies.\n\nThe lookup sequence is:\n1. First, lookup output route for ICMP reply (dst = original src)\n2. Pass through xfrm_lookup() for policy check\n3. If blocked (-EPERM) or dst is not local, enter \"reverse path\"\n4. In reverse path, call xfrm_decode_session_reverse() to get fl4_dec\n   which reverses the original packet's flow (saddr\u003c-\u003edaddr swapped)\n5. If fl4_dec.saddr is local (we are the original destination), use\n   __ip_route_output_key() for output route lookup\n6. If fl4_dec.saddr is NOT local (we are a forwarding node), use\n   ip_route_input() to simulate the reverse packet's input path\n7. Finally, pass rt2 through xfrm_lookup() with XFRM_LOOKUP_ICMP flag\n\nThe bug occurs in step 6: ip_route_input() is called with fl4_dec.daddr\n(original packet's source) as destination. If this address becomes local\nbetween the initial check and ip_route_input() call (e.g., due to\nconcurrent \"ip addr add\"), ip_route_input() returns a LOCAL route with\ndst.output set to ip_rt_bug.\n\nThis route is then used for ICMP output, causing dst_output() to call\nip_rt_bug(), triggering a WARN_ON:\n\n ------------[ cut here ]------------\n WARNING: net/ipv4/route.c:1275 at ip_rt_bug+0x21/0x30, CPU#1\n Call Trace:\n  \u003cTASK\u003e\n  ip_push_pending_frames+0x202/0x240\n  icmp_push_reply+0x30d/0x430\n  __icmp_send+0x1149/0x24f0\n  ip_options_compile+0xa2/0xd0\n  ip_rcv_finish_core+0x829/0x1950\n  ip_rcv+0x2d7/0x420\n  __netif_receive_skb_one_core+0x185/0x1f0\n  netif_receive_skb+0x90/0x450\n  tun_get_user+0x3413/0x3fb0\n  tun_chr_write_iter+0xe4/0x220\n  ...\n\nFix this by checking rt2-\u003ert_type after ip_route_input(). If it's\nRTN_LOCAL, the route cannot be used for output, so treat it as an error.\n\nThe reproducer requires kernel modification to widen the race window,\nmaking it unsuitable as a selftest. It is available at:\n\n  https://gist.github.com/mrpre/eae853b72ac6a750f5d45d64ddac1e81","modified":"2026-05-29T04:03:07.475678934Z","published":"2026-05-27T12:17:15.050Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45905.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/1c9ef28f643cce34a6a6c36c8f4d6d60a60db7e1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/2c1f59005da9dd4b07b26984fd719e36557dc57c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/423ce12d10b426709489d6b84fdaa6d2f31c5652"},{"type":"WEB","url":"https://git.kernel.org/stable/c/81b84de32bb27ae1ae2eb9acf0420e9d0d14bf00"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9a95ec9144eeff1fc6fbcc21b677e322c6f1430b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b04061f89ffc6168e7ec3c71d0086ec3c3797228"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45905.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45905"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"8b7817f3a959ed99d7443afc12f78a7e1fcc2063"},{"fixed":"9a95ec9144eeff1fc6fbcc21b677e322c6f1430b"},{"fixed":"2c1f59005da9dd4b07b26984fd719e36557dc57c"},{"fixed":"b04061f89ffc6168e7ec3c71d0086ec3c3797228"},{"fixed":"1c9ef28f643cce34a6a6c36c8f4d6d60a60db7e1"},{"fixed":"423ce12d10b426709489d6b84fdaa6d2f31c5652"},{"fixed":"81b84de32bb27ae1ae2eb9acf0420e9d0d14bf00"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-45905.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.6.25"},{"fixed":"6.1.165"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.128"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.75"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.14"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.4"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-45905.json"}}],"schema_version":"1.7.5"}