Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2026-46099— net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels

AI Predicted 4.9 Difficulty: Hard

Possible ATT&CK Techniques 1AI

T1211 · Exploitation for Stealth

Affected Version Matrix 12

VendorProductVersion RangeStatus
LinuxLinuxaf4a2209b1344939eaac11f269c261d347cbc3ee< 6bd17925bd6866027a6555db17905b9fc073d38daffected
af4a2209b1344939eaac11f269c261d347cbc3ee< 52f9db67f8f35f436366cf4980b4f0a2583d0ef0affected
af4a2209b1344939eaac11f269c261d347cbc3ee< b778b6d095421619c331fd2d7751143cd5387103affected
af4a2209b1344939eaac11f269c261d347cbc3ee< 9dd5481f960e337b81d7dfe429529495c1c481c0affected
af4a2209b1344939eaac11f269c261d347cbc3ee< f9c52a6ba9780bd27e0bf4c044fd91c13c778b6eaffected
4.12affected
< 4.12unaffected
6.6.140≤ 6.6.*unaffected
… +4 more rows
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-46099

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels seg6_input_core() and rpl_input() call ip6_route_input() which sets a NOREF dst on the skb, then pass it to dst_cache_set_ip6() invoking dst_hold() unconditionally. On PREEMPT_RT, ksoftirqd is preemptible and a higher-priority task can release the underlying pcpu_rt between the lookup and the caching through a concurrent FIB lookup on a shared nexthop. Simplified race sequence: ksoftirqd/X higher-prio task (same CPU X) ----------- -------------------------------- seg6_input_core(,skb)/rpl_input(skb) dst_cache_get() -> miss ip6_route_input(skb) -> ip6_pol_route(,skb,flags) [RT6_LOOKUP_F_DST_NOREF in flags] -> FIB lookup resolves fib6_nh [nhid=N route] -> rt6_make_pcpu_route() [creates pcpu_rt, refcount=1] pcpu_rt->sernum = fib6_sernum [fib6_sernum=W] -> cmpxchg(fib6_nh.rt6i_pcpu, NULL, pcpu_rt) [slot was empty, store succeeds] -> skb_dst_set_noref(skb, dst) [dst is pcpu_rt, refcount still 1] rt_genid_bump_ipv6() -> bumps fib6_sernum [fib6_sernum from W to Z] ip6_route_output() -> ip6_pol_route() -> FIB lookup resolves fib6_nh [nhid=N] -> rt6_get_pcpu_route() pcpu_rt->sernum != fib6_sernum [W <> Z, stale] -> prev = xchg(rt6i_pcpu, NULL) -> dst_release(prev) [prev is pcpu_rt, refcount 1->0, dead] dst = skb_dst(skb) [dst is the dead pcpu_rt] dst_cache_set_ip6(dst) -> dst_hold() on dead dst -> WARN / use-after-free For the race to occur, ksoftirqd must be preemptible (PREEMPT_RT without PREEMPT_RT_NEEDS_BH_LOCK) and a concurrent task must be able to release the pcpu_rt. Shared nexthop objects provide such a path, as two routes pointing to the same nhid share the same fib6_nh and its rt6i_pcpu entry. Fix seg6_input_core() and rpl_input() by calling skb_dst_force() after ip6_route_input() to force the NOREF dst into a refcounted one before caching. The output path is not affected as ip6_route_output() already returns a refcounted dst.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux af4a2209b1344939eaac11f269c261d347cbc3ee ~ 6bd17925bd6866027a6555db17905b9fc073d38d -
LinuxLinux 4.12 -

II. Public POCs for CVE-2026-46099

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-46099

登录查看更多情报信息。

Patches & Fixes for CVE-2026-46099 (5)

Same Patch Batch · Linux · 2026-05-27 · 276 CVEs total

CVE-2026-45915fat: avoid parent link count underflow in rmdir
CVE-2026-45932bpf: Fix tcx/netkit detach permissions when prog fd isn't given
CVE-2026-45931accel/amdxdna: Hold mm structure across iommu_sva_unbind_device()
CVE-2026-45930net: mctp: ensure our nlmsg responses are initialised
CVE-2026-45929ovpn: fix possible use-after-free in ovpn_net_xmit
CVE-2026-45928media: chips-media: wave5: Fix memory leak on codec_info allocation failure
CVE-2026-45927bpf: Require frozen map for calculating map hash
CVE-2026-45926rust: pwm: Fix potential memory leak on init error
CVE-2026-45925thermal/of: Fix reference leak in thermal_of_cm_lookup()
CVE-2026-45924ksmbd: call ksmbd_vfs_kern_path_end_removing() on some error paths
CVE-2026-45923net: usb: catc: enable basic endpoint checking
CVE-2026-45922RDMA/mlx5: Fix memory leak in GET_DATA_DIRECT_SYSFS_PATH handler
CVE-2026-45921mtd: parsers: Fix memory leak in mtd_parser_tplink_safeloader_parse()
CVE-2026-45920ext4: fix dirtyclusters double decrement on fs shutdown
CVE-2026-45919sched/rt: Skip currently executing CPU in rto_next_cpu()
CVE-2026-45918ovpn: tcp - don't deref NULL sk_socket member after tcp_close()
CVE-2026-45917ipvs: do not keep dest_dst if dev is going down
CVE-2026-45916power: supply: sbs-battery: Fix use-after-free in power_supply_changed()
CVE-2026-45905xfrm: fix ip_rt_bug race in icmp_route_lookup reverse path
CVE-2026-45903bpf: Fix memory access flags in helper prototypes

Showing top 20 of 276 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2026-46099

No comments yet

Leave a comment