{"id":"CVE-2026-46099","summary":"net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels\n\nseg6_input_core() and rpl_input() call ip6_route_input() which sets a\nNOREF dst on the skb, then pass it to dst_cache_set_ip6() invoking\ndst_hold() unconditionally.\nOn PREEMPT_RT, ksoftirqd is preemptible and a higher-priority task can\nrelease the underlying pcpu_rt between the lookup and the caching\nthrough a concurrent FIB lookup on a shared nexthop.\nSimplified race sequence:\n\n  ksoftirqd/X                       higher-prio task (same CPU X)\n  -----------                       --------------------------------\n  seg6_input_core(,skb)/rpl_input(skb)\n    dst_cache_get()\n      -\u003e miss\n    ip6_route_input(skb)\n      -\u003e ip6_pol_route(,skb,flags)\n         [RT6_LOOKUP_F_DST_NOREF in flags]\n        -\u003e FIB lookup resolves fib6_nh\n           [nhid=N route]\n        -\u003e rt6_make_pcpu_route()\n           [creates pcpu_rt, refcount=1]\n             pcpu_rt-\u003esernum = fib6_sernum\n             [fib6_sernum=W]\n           -\u003e cmpxchg(fib6_nh.rt6i_pcpu,\n                      NULL, pcpu_rt)\n              [slot was empty, store succeeds]\n      -\u003e skb_dst_set_noref(skb, dst)\n         [dst is pcpu_rt, refcount still 1]\n\n                                    rt_genid_bump_ipv6()\n                                      -\u003e bumps fib6_sernum\n                                         [fib6_sernum from W to Z]\n                                    ip6_route_output()\n                                      -\u003e ip6_pol_route()\n                                        -\u003e FIB lookup resolves fib6_nh\n                                           [nhid=N]\n                                        -\u003e rt6_get_pcpu_route()\n                                             pcpu_rt-\u003esernum != fib6_sernum\n                                             [W \u003c\u003e Z, stale]\n                                          -\u003e prev = xchg(rt6i_pcpu, NULL)\n                                          -\u003e dst_release(prev)\n                                             [prev is pcpu_rt,\n                                              refcount 1-\u003e0, dead]\n\n    dst = skb_dst(skb)\n    [dst is the dead pcpu_rt]\n    dst_cache_set_ip6(dst)\n      -\u003e dst_hold() on dead dst\n      -\u003e WARN / use-after-free\n\nFor the race to occur, ksoftirqd must be preemptible (PREEMPT_RT without\nPREEMPT_RT_NEEDS_BH_LOCK) and a concurrent task must be able to release\nthe pcpu_rt. Shared nexthop objects provide such a path, as two routes\npointing to the same nhid share the same fib6_nh and its rt6i_pcpu\nentry.\n\nFix seg6_input_core() and rpl_input() by calling skb_dst_force() after\nip6_route_input() to force the NOREF dst into a refcounted one before\ncaching.\nThe output path is not affected as ip6_route_output() already returns a\nrefcounted dst.","modified":"2026-07-01T04:02:17.388303982Z","published":"2026-05-27T12:59:04.628Z","related":["openSUSE-SU-2026:10954-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46099.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/51fef5a7c4d160839199e941929456ba21ddf73c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/52f9db67f8f35f436366cf4980b4f0a2583d0ef0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6bd17925bd6866027a6555db17905b9fc073d38d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9dd5481f960e337b81d7dfe429529495c1c481c0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b258b849a580285a1692e782ebc902b44c884a71"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b778b6d095421619c331fd2d7751143cd5387103"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f9c52a6ba9780bd27e0bf4c044fd91c13c778b6e"},{"type":"WEB","url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46099.json"},{"type":"ADVISORY","url":"https://access.redhat.com/security/cve/CVE-2026-46099"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46099.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46099"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2481972"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"af4a2209b1344939eaac11f269c261d347cbc3ee"},{"fixed":"51fef5a7c4d160839199e941929456ba21ddf73c"},{"fixed":"b258b849a580285a1692e782ebc902b44c884a71"},{"fixed":"6bd17925bd6866027a6555db17905b9fc073d38d"},{"fixed":"52f9db67f8f35f436366cf4980b4f0a2583d0ef0"},{"fixed":"b778b6d095421619c331fd2d7751143cd5387103"},{"fixed":"9dd5481f960e337b81d7dfe429529495c1c481c0"},{"fixed":"f9c52a6ba9780bd27e0bf4c044fd91c13c778b6e"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46099.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.12.0"},{"fixed":"5.15.209"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.175"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.140"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.86"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.27"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"7.0.4"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46099.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}