CVE-2026-45905

In the Linux kernel, the following vulnerability has been resolved:

xfrm: fix ip rt bug race in icmp route lookup reverse path

icmp route lookup() performs multiple route lookups to find a suitable route for sending ICMP error messages, with special handling for XFRM (IPsec) policies.

The lookup sequence is:

The bug occurs in step 6: ip route input() is called with fl4 dec.daddr (original packet's source) as destination. If this address becomes local between the initial check and ip route input() call (e.g., due to concurrent "ip addr add"), ip route input() returns a LOCAL route with dst.output set to ip rt bug.

This route is then used for ICMP output, causing dst output() to call ip rt bug(), triggering a WARN ON:

------------[ cut here ]------------ WARNING: net/ipv4/route.c:1275 at ip rt bug+0x21/0x30, CPU#1 Call Trace: ip push pending frames+0x202/0x240 icmp push reply+0x30d/0x430 icmp send+0x1149/0x24f0 ip options compile+0xa2/0xd0 ip rcv finish core+0x829/0x1950 ip rcv+0x2d7/0x420 netif receive skb one core+0x185/0x1f0 netif receive skb+0x90/0x450 tun get user+0x3413/0x3fb0 tun chr write iter+0xe4/0x220 ...

Fix this by checking rt2->rt type after ip route input(). If it's RTN LOCAL, the route cannot be used for output, so treat it as an error.

The reproducer requires kernel modification to widen the race window, making it unsuitable as a selftest. It is available at: