Skip to main content

Linux Kernel CVE-2026-46099

| EUVDEUVD-2026-32482 HIGH
Improper Update of Reference Count (CWE-911)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-9x88-7c3c-r34g
8.1
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 HIGH
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:46 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
8.1 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 8.1

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels

seg6_input_core() and rpl_input() call ip6_route_input() which sets a NOREF dst on the skb, then pass it to dst_cache_set_ip6() invoking dst_hold() unconditionally. On PREEMPT_RT, ksoftirqd is preemptible and a higher-priority task can release the underlying pcpu_rt between the lookup and the caching through a concurrent FIB lookup on a shared nexthop. Simplified race sequence:

ksoftirqd/X higher-prio task (same CPU X) ----------- -------------------------------- seg6_input_core(,skb)/rpl_input(skb) dst_cache_get() -> miss ip6_route_input(skb) -> ip6_pol_route(,skb,flags) [RT6_LOOKUP_F_DST_NOREF in flags] -> FIB lookup resolves fib6_nh [nhid=N route] -> rt6_make_pcpu_route() [creates pcpu_rt, refcount=1] pcpu_rt->sernum = fib6_sernum [fib6_sernum=W] -> cmpxchg(fib6_nh.rt6i_pcpu, NULL, pcpu_rt) [slot was empty, store succeeds] -> skb_dst_set_noref(skb, dst) [dst is pcpu_rt, refcount still 1]

rt_genid_bump_ipv6() -> bumps fib6_sernum [fib6_sernum from W to Z] ip6_route_output() -> ip6_pol_route() -> FIB lookup resolves fib6_nh [nhid=N] -> rt6_get_pcpu_route() pcpu_rt->sernum != fib6_sernum [W <> Z, stale] -> prev = xchg(rt6i_pcpu, NULL) -> dst_release(prev) [prev is pcpu_rt, refcount 1->0, dead]

dst = skb_dst(skb) [dst is the dead pcpu_rt] dst_cache_set_ip6(dst) -> dst_hold() on dead dst -> WARN / use-after-free

For the race to occur, ksoftirqd must be preemptible (PREEMPT_RT without PREEMPT_RT_NEEDS_BH_LOCK) and a concurrent task must be able to release the pcpu_rt. Shared nexthop objects provide such a path, as two routes pointing to the same nhid share the same fib6_nh and its rt6i_pcpu entry.

Fix seg6_input_core() and rpl_input() by calling skb_dst_force() after ip6_route_input() to force the NOREF dst into a refcounted one before caching. The output path is not affected as ip6_route_output() already returns a refcounted dst.

AnalysisAI

Use-after-free in the Linux kernel's IPv6 SR (seg6) and RPL lightweight tunnel input paths can be triggered on PREEMPT_RT builds when a higher-priority task races ksoftirqd during a concurrent FIB lookup on a shared nexthop. The flaw causes dst_cache_set_ip6() to call dst_hold() on a freed per-CPU route, producing a kernel warning or memory corruption that an attacker on the network could leverage for denial of service or potential code execution. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis.

Technical ContextAI

The bug lives in net/ipv6/seg6_iptunnel.c (seg6_input_core) and net/ipv6/rpl_iptunnel.c (rpl_input), two IPv6 lightweight tunnel handlers that implement Segment Routing over IPv6 (SRv6, RFC 8754) and Routing Protocol for Low-power and Lossy Networks (RPL, RFC 6550) source routing. Both call ip6_route_input() with the RT6_LOOKUP_F_DST_NOREF flag, attaching a non-refcounted destination entry (NOREF dst) to the skb before passing that pointer into the dst_cache machinery via dst_hold(). On PREEMPT_RT kernels (without PREEMPT_RT_NEEDS_BH_LOCK) ksoftirqd is preemptible, and shared fib6_nh nexthops mean another task on the same CPU can run rt6_get_pcpu_route(), notice a stale fib6_sernum after a generation bump, xchg the per-CPU route to NULL and dst_release() it, dropping the refcount to zero. The fix forces the dst into a refcounted state via skb_dst_force() after ip6_route_input(). The root cause class is CWE-416 (Use After Free) arising from a TOCTOU between a NOREF route lookup and the subsequent dst_hold().

RemediationAI

Upgrade to a fixed Linux kernel: mainline 7.1-rc2 or later, or stable 7.0.4, 6.18.27, 6.12.86, or 6.6.140 (per the EUVD record), pulling the seg6_input_core() and rpl_input() skb_dst_force() change referenced by the kernel.org stable commits listed in the references. Distribution users should track their vendor's kernel advisory and apply the next stable kernel update. As a compensating control until patched, disable or avoid configuring seg6 and RPL lightweight tunnel encapsulations on PREEMPT_RT hosts (remove 'encap seg6' and 'encap rpl' routes, and unload the seg6_iptunnel and rpl_iptunnel modules where feasible), which eliminates the vulnerable code path at the cost of losing SRv6/RPL source-routing functionality. Alternatively, building or running a kernel with PREEMPT_RT_NEEDS_BH_LOCK enabled, or switching off PREEMPT_RT entirely, closes the race window but sacrifices real-time latency guarantees and may not be acceptable in telecom, industrial or automotive deployments.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-46099 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy