PT-2026-43967 · Linux · Linux

Published

2026-05-27

·

Updated

2026-05-27

·

CVE-2026-46099

CVSS v3.1

8.1

High

VectorAV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
In the Linux kernel, the following vulnerability has been resolved:
net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels
seg6 input core() and rpl input() call ip6 route input() which sets a NOREF dst on the skb, then pass it to dst cache set ip6() invoking dst hold() unconditionally. On PREEMPT RT, ksoftirqd is preemptible and a higher-priority task can release the underlying pcpu rt between the lookup and the caching through a concurrent FIB lookup on a shared nexthop. Simplified race sequence:
ksoftirqd/X higher-prio task (same CPU X)
seg6 input core(,skb)/rpl input(skb) dst cache get() -> miss ip6 route input(skb) -> ip6 pol route(,skb,flags) [RT6 LOOKUP F DST NOREF in flags] -> FIB lookup resolves fib6 nh [nhid=N route] -> rt6 make pcpu route() [creates pcpu rt, refcount=1] pcpu rt->sernum = fib6 sernum [fib6 sernum=W] -> cmpxchg(fib6 nh.rt6i pcpu, NULL, pcpu rt) [slot was empty, store succeeds] -> skb dst set noref(skb, dst) [dst is pcpu rt, refcount still 1]
              rt genid bump ipv6()
               -> bumps fib6 sernum
                 [fib6 sernum from W to Z]
              ip6 route output()
               -> ip6 pol route()
                -> FIB lookup resolves fib6 nh
                  [nhid=N]
                -> rt6 get pcpu route()
                   pcpu rt->sernum != fib6 sernum
                   [W <> Z, stale]
                 -> prev = xchg(rt6i pcpu, NULL)
                 -> dst release(prev)
                   [prev is pcpu rt,
                   refcount 1->0, dead]
dst = skb dst(skb) [dst is the dead pcpu rt] dst cache set ip6(dst) -> dst hold() on dead dst -> WARN / use-after-free
For the race to occur, ksoftirqd must be preemptible (PREEMPT RT without PREEMPT RT NEEDS BH LOCK) and a concurrent task must be able to release the pcpu rt. Shared nexthop objects provide such a path, as two routes pointing to the same nhid share the same fib6 nh and its rt6i pcpu entry.
Fix seg6 input core() and rpl input() by calling skb dst force() after ip6 route input() to force the NOREF dst into a refcounted one before caching. The output path is not affected as ip6 route output() already returns a refcounted dst.

Fix

Related Identifiers

CVE-2026-46099

Affected Products

Linux