Skip to main content

Linux Kernel CVE-2026-46172

| EUVDEUVD-2026-32799 MEDIUM
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-xg6x-xg63-gmxc
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local-only exploitation requiring low privileges to trigger IPv6 xfrm6 error path; sole impact is availability via kernel resource exhaustion with no confidentiality or integrity compromise.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
7.0 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 10, 2026 - 21:39 vuln.today
CVSS changed
Jun 10, 2026 - 21:22 NVD
5.5 (MEDIUM)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 28, 2026 - 10:16 nvd
MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()

xfrm6_rcv_encap() performs an IPv6 route lookup when the skb does not already have a dst attached. ip6_route_input_lookup() returns a referenced dst entry even when the lookup resolves to an error route.

If dst->error is set, xfrm6_rcv_encap() drops the skb without attaching the dst to the skb and without releasing the reference returned by the lookup. Repeated packets hitting this path therefore leak dst entries.

Release the dst before jumping to the drop path.

AnalysisAI

Resource exhaustion via dst entry reference leak in the Linux kernel's IPv6 IPsec (xfrm6) receive path allows a local attacker with low privileges to cause a denial of service by exhausting kernel memory. The flaw exists in xfrm6_rcv_encap(), which calls ip6_route_input_lookup() returning a referenced dst entry even for error routes, but fails to release that reference before dropping the packet when dst->error is set. Repeated packets hitting this code path therefore accumulate unreleased dst references, ultimately crashing the system. No public exploit exists and this vulnerability is not in the CISA KEV list; EPSS exploitation probability is extremely low at 0.02% (5th percentile).

Technical ContextAI

The vulnerability resides in the Linux kernel's IPv6 transformation framework (xfrm6), specifically the xfrm6_rcv_encap() function responsible for processing incoming IPsec-encapsulated IPv6 packets. When an incoming skb lacks an attached dst entry, the function calls ip6_route_input_lookup() to perform a route lookup. The kernel's IPv6 routing layer returns a reference-counted dst entry even when the lookup resolves to a blackhole or error route - the caller is responsible for releasing this reference. The bug is a missing dst_release() call on the error path: when dst->error is non-zero, xfrm6_rcv_encap() jumps to its drop label without releasing the reference obtained from ip6_route_input_lookup(). This is a reference-counting resource leak (functionally equivalent to CWE-401, Missing Release of Memory after Effective Lifetime, though no CWE is formally assigned). The affected CPE is cpe:2.3:o:linux:linux_kernel across multiple stable branches. Notably, the source data tags this as 'Information Disclosure,' which is inconsistent with both the vulnerability description and the CVSS vector (C:N/I:N/A:H); the actual impact is availability through kernel resource exhaustion.

RemediationAI

The primary fix is to upgrade the Linux kernel to a patched stable release: 6.6.140, 6.12.88, 6.18.30, 7.0.7, or 7.1-rc3, as documented in EUVD-2026-32799 and confirmed by the NVD advisory at https://nvd.nist.gov/vuln/detail/CVE-2026-46172. The fix adds a dst_release() call before the drop path in xfrm6_rcv_encap(), which can be applied as a targeted backport from the git.kernel.org stable commits listed in the references. As a compensating control where immediate patching is not feasible, disabling IPv6 IPsec (xfrm6) encapsulation if it is not operationally required will fully prevent exploitation, though this removes IPsec tunnel functionality. Alternatively, deploying firewall rules at the perimeter to block encapsulated IPv6 traffic (e.g., UDP port 4500 for IKE/NAT-T, ESP protocol 50) to untrusted sources reduces the attack surface, though this is only effective if attackers lack local system access. Neither workaround has meaningful side effects beyond the intended service reduction.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

CVE-2026-46172 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy