Skip to main content

Linux Kernel EUVDEUVD-2026-39312

| CVE-2026-53221 CRITICAL
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-h3c9-j2j5-6mff
9.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
6.5 MEDIUM

Network-reachable but requires non-default vti6 wildcard tunnels plus an engineered hash collision (AC:H); impact is traffic misdirection/disclosure (C:H, minor I:L), no availability loss.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:36 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
9.8 (CRITICAL)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 09:16 cve.org
CRITICAL 9.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup()

In vti6_tnl_lookup(), when an exact match for a tunnel fails, the code falls back to searching for wildcard tunnels:

  • Tunnels matching the packet's local address, with any remote address

wildcard remote).

  • Tunnels matching the packet's remote address, with any local address

(wildcard local).

However, vti6 stores all these different types of tunnels in the same hash table (ip6n->tnls_r_l) prone to hash collisions.

The bug is that the fallback search loops in vti6_tnl_lookup() were missing checks to ensure that the candidate tunnel actually has a wildcard address.

AnalysisAI

Incorrect tunnel matching in the Linux kernel's IPv6 Virtual Tunnel Interface (vti6) lets the vti6_tnl_lookup() fallback path select the wrong tunnel when an exact match fails, because the wildcard-search loops omitted checks that a candidate tunnel actually holds a wildcard local or remote address. On hosts configured with multiple vti6 tunnels sharing the ip6n->tnls_r_l hash table, hash collisions can cause inbound IPv6/IPsec packets to be associated with an unintended tunnel, enabling traffic misdirection and information disclosure. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach vti6-enabled IPv6 host
Delivery
Send crafted IPv6/IPsec packet
Exploit
Hash collision in tnls_r_l bucket
Execution
Fallback lookup returns wrong tunnel
Persist
Packet processed in unintended tunnel context
Impact
Traffic misdirection / information disclosure

Vulnerability AssessmentAI

Exploitation Requires the target Linux host to be configured with IPv6 VTI (vti6) tunnels - specifically multiple tunnels including wildcard-local and/or wildcard-remote definitions that co-reside in the ip6n->tnls_r_l hash table and produce a hash collision; this is the exact precondition that makes the missing wildcard check observable. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-style CVSS of 9.8 (AV:N/AC:L/PR:N/UI:N/C:H/I:H/A:H) appears to be an automated worst-case assignment typical of Linux kernel CVEs and overstates real-world risk for this specific bug. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario On a Linux gateway running several IPv6 VTI tunnels (including wildcard-configured ones), an attacker who can send IPv6/IPsec packets toward the host crafts traffic whose addresses hash into a bucket shared by a different tunnel; vti6_tnl_lookup() then returns the wrong tunnel on the fallback path, causing the packet to be processed in the context of an unintended tunnel and potentially exposing or misrouting traffic. No public POC is referenced, and success depends on the specific multi-tunnel vti6 configuration and an engineered hash collision rather than a single deterministic request.
Remediation Vendor-released patch: upgrade to a fixed stable kernel - 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1 (or later within each branch), matching your distribution's kernel series, then reboot. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Linux systems with IPv6 Virtual Tunnel Interface (vti6) configurations deployed; document current kernel versions on each. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39312 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy