Skip to main content

Linux Kernel EUVDEUVD-2026-32313

| CVE-2026-45847 MEDIUM
Reachable Assertion (CWE-617)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-3538-rrcv-8mrq
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local vector confirmed; PR:L because user namespaces allow non-root tunnel creation; no confidentiality or integrity impact applies.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 25, 2026 - 21:10 vuln.today
CVSS changed
Jun 25, 2026 - 21:07 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:16 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:16 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

net: remove WARN_ON_ONCE when accessing forward path array

Although unlikely, recent support for IPIP tunnels increases chances of reaching this WARN_ON_ONCE if userspace manages to build a sufficiently long forward path.

Remove it.

AnalysisAI

Reachable assertion in the Linux kernel network subsystem allows a local low-privileged user to trigger a WARN_ON_ONCE by constructing a sufficiently long forward path through IPIP tunnels, resulting in a kernel warning and high availability impact. The root cause (CWE-617) is an assertion in the forward path array access code that became reachable after IPIP tunnel support was introduced, expanding the possible depth of forward paths beyond the implicit assumption encoded in the warning. No public exploit code exists and EPSS is extremely low (0.02%, 7th percentile), but the kernel-level denial-of-service impact on local multi-tenant or containerized systems warrants patching.

Technical ContextAI

The vulnerability resides in the Linux kernel's network subsystem (net), specifically in the code that traverses the forward path array used for fast-path packet forwarding decisions. CWE-617 (Reachable Assertion) is the precise root cause: a WARN_ON_ONCE macro acts as a runtime assertion that was historically safe but became reachable through userspace-controlled inputs once IPIP (IP-in-IP) encapsulation tunnel support was added. IPIP tunnels can be stacked or chained by userspace, enabling construction of a forward path whose depth exceeds the original design assumption. On many kernel configurations, WARN_ON_ONCE triggers a kernel warning backtrace; in hardened or panic-on-warn configurations, this can cause a full kernel panic, elevating impact. Affected CPE: cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* across multiple stable branches.

RemediationAI

The primary fix is upgrading to a patched Linux kernel version: 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.14, 6.19.4, or 7.0, depending on the stable branch in use. Upstream fix commits are available at the kernel stable git repository (https://git.kernel.org/stable/c/) for all affected branches. Distribution maintainers for RHEL, Debian, Ubuntu, SUSE, and others should be monitored for backported packages. As a compensating control where patching is not immediately possible, restrict unprivileged user namespace creation by setting kernel.unprivileged_userns_clone=0 (Debian/Ubuntu) or user.max_user_namespaces=0 (RHEL-based), which prevents unprivileged users from creating network namespaces needed to configure IPIP tunnels - note this may break container workloads such as rootless Podman or unprivileged LXC. Alternatively, blocking ip_tunnel module loading via modprobe.blacklist=ipip will prevent IPIP tunnel creation entirely, with the trade-off of breaking any legitimate IPIP tunnel usage on the host.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected

Share

EUVD-2026-32313 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy