CVE-2026-46260

In the Linux kernel, the following vulnerability has been resolved:

ipv6: Fix out-of-bound access in fib6 add rt2node().

syzbot reported out-of-bound read in fib6 add rt2node(). [0]

When IPv6 route is created with RTA NH ID, struct fib6 info does not have the trailing struct fib6 nh.

The cited commit started to check !iter->fib6 nh->fib nh gw family to ensure that rt6 qualify for ecmp() will return false for iter.

If iter->nh is not NULL, rt6 qualify for ecmp() returns false anyway.

Let's check iter->nh before reading iter->fib6 nh and avoid OOB read.

[0]: BUG: KASAN: slab-out-of-bounds in fib6 add rt2node+0x349c/0x3500 net/ipv6/ip6 fib.c:1142 Read of size 1 at addr ffff8880384ba6de by task syz.0.18/5500

CPU: 0 UID: 0 PID: 5500 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump stack lvl+0xe8/0x150 lib/dump stack.c:120 print address description mm/kasan/report.c:378 [inline] print report+0xba/0x230 mm/kasan/report.c:482 kasan report+0x117/0x150 mm/kasan/report.c:595 fib6 add rt2node+0x349c/0x3500 net/ipv6/ip6 fib.c:1142 fib6 add rt2node nh net/ipv6/ip6 fib.c:1363 [inline] fib6 add+0x910/0x18c0 net/ipv6/ip6 fib.c:1531 ip6 ins rt net/ipv6/route.c:1351 [inline] ip6 route add+0xde/0x1b0 net/ipv6/route.c:3957 inet6 rtm newroute+0x268/0x19e0 net/ipv6/route.c:5660 rtnetlink rcv msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958 netlink rcv skb+0x232/0x4b0 net/netlink/af netlink.c:2550 netlink unicast kernel net/netlink/af netlink.c:1318 [inline] netlink unicast+0x80f/0x9b0 net/netlink/af netlink.c:1344 netlink sendmsg+0x813/0xb40 net/netlink/af netlink.c:1894 sock sendmsg nosec net/socket.c:727 [inline] sock sendmsg net/socket.c:742 [inline] sys sendmsg+0xa68/0xad0 net/socket.c:2592 sys sendmsg+0x2a5/0x360 net/socket.c:2646 sys sendmsg net/socket.c:2678 [inline] do sys sendmsg net/socket.c:2683 [inline] se sys sendmsg net/socket.c:2681 [inline] x64 sys sendmsg+0x1bd/0x2a0 net/socket.c:2681 do syscall x64 arch/x86/entry/syscall 64.c:63 [inline] do syscall 64+0xe2/0xf80 arch/x86/entry/syscall 64.c:94 entry SYSCALL 64 after hwframe+0x77/0x7f RIP: 0033:0x7f9316b9aeb9 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffd8809b678 EFLAGS: 00000246 ORIG RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f9316e15fa0 RCX: 00007f9316b9aeb9 RDX: 0000000000000000 RSI: 0000200000004380 RDI: 0000000000000003 RBP: 00007f9316c08c1f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f9316e15fac R14: 00007f9316e15fa0 R15: 00007f9316e15fa0

Allocated by task 5499: kasan save stack mm/kasan/common.c:57 [inline] kasan save track+0x3e/0x80 mm/kasan/common.c:78 poison kmalloc redzone mm/kasan/common.c:398 [inline] kasan kmalloc+0x93/0xb0 mm/kasan/common.c:415 kasan kmalloc include/linux/kasan.h:263 [inline] do kmalloc node mm/slub.c:5657 [inline] kmalloc noprof+0x40c/0x7e0 mm/slub.c:5669 kmalloc noprof include/linux/slab.h:961 [inline] kzalloc noprof include/linux/slab.h:1094 [inline] fib6 info alloc+0x30/0xf0 net/ipv6/ip6 fib.c:155 ip6 route info create+0x142/0x860 net/ipv6/route.c:3820 ip6 route add+0x49/0x1b0 net/ipv6/route.c:3949 inet6 rtm newroute+0x268/0x19e0 net/ipv6/route.c:5660 rtnetlink rcv msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958 netlink rcv skb+0x232/0x4b0 net/netlink/af netlink.c:2550 netlink unicast kernel net/netlink/af netlink.c:1318 [inline] netlink unicast+0x80f/0x9b0 net/netlink/af netlink.c:1344 netlink sendmsg+0x813/0xb40 net/netlink/af netlink.c:1894 sock sendmsg nosec net/socket.c:727 [inline] sock sendmsg net/socket.c:742 [inline] sys sendmsg+0xa68/0xad0 net/socket.c:2592 sys s ---truncated---