Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Network-reachable but requires non-default vti6 wildcard tunnels plus an engineered hash collision (AC:H); impact is traffic misdirection/disclosure (C:H, minor I:L), no availability loss.
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup()
In vti6_tnl_lookup(), when an exact match for a tunnel fails, the code falls back to searching for wildcard tunnels:
- Tunnels matching the packet's local address, with any remote address
wildcard remote).
- Tunnels matching the packet's remote address, with any local address
(wildcard local).
However, vti6 stores all these different types of tunnels in the same hash table (ip6n->tnls_r_l) prone to hash collisions.
The bug is that the fallback search loops in vti6_tnl_lookup() were missing checks to ensure that the candidate tunnel actually has a wildcard address.
AnalysisAI
Incorrect tunnel matching in the Linux kernel's IPv6 Virtual Tunnel Interface (vti6) lets the vti6_tnl_lookup() fallback path select the wrong tunnel when an exact match fails, because the wildcard-search loops omitted checks that a candidate tunnel actually holds a wildcard local or remote address. On hosts configured with multiple vti6 tunnels sharing the ip6n->tnls_r_l hash table, hash collisions can cause inbound IPv6/IPsec packets to be associated with an unintended tunnel, enabling traffic misdirection and information disclosure. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires the target Linux host to be configured with IPv6 VTI (vti6) tunnels - specifically multiple tunnels including wildcard-local and/or wildcard-remote definitions that co-reside in the ip6n->tnls_r_l hash table and produce a hash collision; this is the exact precondition that makes the missing wildcard check observable. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-style CVSS of 9.8 (AV:N/AC:L/PR:N/UI:N/C:H/I:H/A:H) appears to be an automated worst-case assignment typical of Linux kernel CVEs and overstates real-world risk for this specific bug. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | On a Linux gateway running several IPv6 VTI tunnels (including wildcard-configured ones), an attacker who can send IPv6/IPsec packets toward the host crafts traffic whose addresses hash into a bucket shared by a different tunnel; vti6_tnl_lookup() then returns the wrong tunnel on the fallback path, causing the packet to be processed in the context of an unintended tunnel and potentially exposing or misrouting traffic. No public POC is referenced, and success depends on the specific multi-tunnel vti6 configuration and an engineered hash collision rather than a single deterministic request. |
| Remediation | Vendor-released patch: upgrade to a fixed stable kernel - 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1 (or later within each branch), matching your distribution's kernel series, then reboot. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Linux systems with IPv6 Virtual Tunnel Interface (vti6) configurations deployed; document current kernel versions on each. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39312
GHSA-h3c9-j2j5-6mff