Skip to main content

Linux Kernel CVE-2026-46120

| EUVDEUVD-2026-32879 HIGH
Use After Free (CWE-416)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-92hv-jcvf-rqg6
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 HIGH
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:52 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.8 (HIGH)
Patch available
May 28, 2026 - 12:31 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
HIGH 7.8
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ip6_gre: Use cached t->net in ip6erspan_changelink().

After commit 5e72ce3e3980 ("net: ipv6: Use link netns in newlink() of rtnl_link_ops"), ip6erspan_newlink() correctly resolves the per-netns ip6gre hash via link_net. ip6erspan_changelink() was not converted in that series and still uses dev_net(dev), which diverges from the device's creation netns after IFLA_NET_NS_FD migration.

This re-inserts the tunnel into the wrong per-netns hash. The original netns keeps a stale entry. When that netns is later destroyed, ip6gre_exit_rtnl_net() walks the stale entry, producing a slab-use-after-free reported by KASAN, followed by a kernel BUG at net/core/dev.c (LIST_POISON1) in unregister_netdevice_many_notify().

Reachable from an unprivileged user namespace (unshare --user --map-root-user --net).

ip6gre_changelink() earlier in the same file already uses the cached t->net; only ip6erspan_changelink() has the wrong shape.

AnalysisAI

Local privilege escalation and kernel memory corruption in the Linux kernel's IPv6 GRE (ip6_gre) subsystem stem from ip6erspan_changelink() using dev_net(dev) instead of the cached t->net after IFLA_NET_NS_FD migration, causing a tunnel to be re-inserted into the wrong per-netns hash. When the original network namespace is later destroyed, the stale entry triggers a slab-use-after-free (flagged by KASAN) and a kernel BUG at LIST_POISON1, reachable from an unprivileged user namespace. No public exploit identified at time of analysis, though the bug is trivially reachable via unshare and EPSS exploitation probability is low (0.02%).

Technical ContextAI

The affected code lives in net/ipv6/ip6_gre.c, the IPv6 GRE and ERSPAN tunnel driver. ERSPAN (Encapsulated Remote SPAN) tunnels are managed through rtnetlink's rtnl_link_ops, which expose newlink/changelink callbacks for tunnel creation and reconfiguration. Commit 5e72ce3e3980 converted ip6erspan_newlink() to resolve the per-netns ip6gre hash via link_net, but ip6erspan_changelink() was not converted and still calls dev_net(dev). After a tunnel is migrated to a new netns via IFLA_NET_NS_FD, dev_net(dev) no longer matches the netns the tunnel was originally hashed into, so changelink re-inserts it into the wrong hash and leaves a dangling reference in the original netns. The root cause is a use-after-free (CWE-416 class) driven by mismatched namespace bookkeeping; no CWE was assigned by NVD. The bug is exposed because Linux permits unprivileged user namespaces to create network namespaces and configure GRE/ERSPAN tunnels via netlink.

RemediationAI

Vendor-released patch: upgrade to Linux 6.6.140, 6.12.88, 6.18.30, 7.1-rc3, or later, which apply the fix that makes ip6erspan_changelink() use the cached t->net (mirroring the existing behavior in ip6gre_changelink()). The upstream commits are available at https://git.kernel.org/stable/c/1d324c2f43f70c965f25c58cc3611c779adbe47e, https://git.kernel.org/stable/c/311fdd26eb4443d43b909cc67a10f3a5fd1b21b2, https://git.kernel.org/stable/c/cf7fc624329e76c6394653d12353e1d033adea91, https://git.kernel.org/stable/c/e70cfb40c3a99b232cd42c6a6a10f0d8e039dc82, and https://git.kernel.org/stable/c/eca62bb0569de4d43a4dac06a2092a9d4ca1d702 - distribution users should pick up their vendor's backport (Red Hat, Ubuntu, SUSE, Debian advisories). Until patched, the most effective compensating control is to disable unprivileged user namespaces by setting kernel.unprivileged_userns_clone=0 (Debian/Ubuntu) or user.max_user_namespaces=0, which closes the documented reachability path at the cost of breaking rootless containers (Podman/rootless Docker), Chrome/Firefox sandboxes, and Snap/Flatpak isolation. Alternatively, blacklist the ip6_gre kernel module (echo 'install ip6_gre /bin/true' > /etc/modprobe.d/blacklist-ip6gre.conf) on hosts that do not require IPv6 GRE/ERSPAN tunnels, which removes the vulnerable code path entirely but breaks any monitoring/encapsulation that relies on ERSPAN. On hardened multi-tenant systems, restricting CAP_NET_ADMIN inside user namespaces via seccomp or LSM policy also blunts the trigger.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-46120 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy