HarborGuard / CVE
Back to search
HIGHCVE-2026-46099Published Modified CNA Linux

CVE-2026-46099: net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels

In the Linux kernel, the following vulnerability has been resolved: net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels seg6_input_core() and rpl_input() call ip6_route_input() which sets a NOREF dst on the skb, then pass it to dst_cache_set_ip6() invoking dst_hold() unconditionally. On PREEMPT_RT, ksoftirqd is preemptible and a higher-priority task can release the underlying pcpu_rt between the lookup and the caching through a concurrent FIB lookup on a shared nexthop. Simplified race sequence: ksoftirqd/X higher-prio task (same CPU X) ----------- -------------------------------- seg6_input_core(,skb)/rpl_input(skb) dst_cache_get() -> miss ip6_route_input(skb) -> ip6_pol_route(,skb,flags) [RT6_LOOKUP_F_DST_NOREF in flags] -> FIB lookup resolves fib6_nh [nhid=N route] -> rt6_make_pcpu_route() [creates pcpu_rt, refcount=1] pcpu_rt->sernum = fib6_sernum [fib6_sernum=W] -> cmpxchg(fib6_nh.rt6i_pcpu, NULL, pcpu_rt) [slot was empty, store succeeds] -> skb_dst_set_noref(skb, dst) [dst is pcpu_rt, refcount still 1] rt_genid_bump_ipv6() -> bumps fib6_sernum [fib6_sernum from W to Z] ip6_route_output() -> ip6_pol_route() -> FIB lookup resolves fib6_nh [nhid=N] -> rt6_get_pcpu_route() pcpu_rt->sernum != fib6_sernum [W <> Z, stale] -> prev = xchg(rt6i_pcpu, NULL) -> dst_release(prev) [prev is pcpu_rt, refcount 1->0, dead] dst = skb_dst(skb) [dst is the dead pcpu_rt] dst_cache_set_ip6(dst) -> dst_hold() on dead dst -> WARN / use-after-free For the race to occur, ksoftirqd must be preemptible (PREEMPT_RT without PREEMPT_RT_NEEDS_BH_LOCK) and a concurrent task must be able to release the pcpu_rt. Shared nexthop objects provide such a path, as two routes pointing to the same nhid share the same fib6_nh and its rt6i_pcpu entry. Fix seg6_input_core() and rpl_input() by calling skb_dst_force() after ip6_route_input() to force the NOREF dst into a refcounted one before caching. The output path is not affected as ip6_route_output() already returns a refcounted dst.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A race condition vulnerability exists in the Linux kernel's IPv6 lightweight tunnel subsystem, specifically in the seg6 and rpl lwtunnel input paths. The flaw is reachable over the network without authentication and arises from a TOCTOU (time-of-check to time-of-use) race on PREEMPT_RT kernels, where a higher-priority task can free a per-CPU route entry between the routing lookup and the subsequent reference count increment. Successful exploitation allows an attacker to trigger memory corruption, read or modify kernel memory, or crash the affected system. Patched-image rebuilds at the fix versions (6.6.140, 6.12.86, 6.18.27) are available on HarborGuard for environments running affected kernel versions.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream Linux kernel security feeds and NVD within minutes of publication and matched against customer images, including custom-built images that carry the affected kernel version. Matching covers both tag-pinned and floating-tag images in connected registries and CI pipelines.

Available
Triage

HarborGuard scores this CVE at CVSS 8.1 (HIGH) per the upstream vector and weights that score against each environment's active compliance policy to determine escalation priority. Findings are routed to the team inbox or ticketing integration configured by each customer organization.

Available
Patch

A patched-image rebuild at kernel versions 6.6.140, 6.12.86, or 6.18.27 (as applicable to the base image) becomes available on HarborGuard for images confirmed to carry an affected version. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs the configured regression suite, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable code path is reachable over the network via IPv6 traffic routed through an affected seg6 or rpl lwtunnel, so the attacker must be able to send packets to the target system.

  • AuthenticationNot required

    No credentials or prior session are needed; the attacker sends unauthenticated network traffic to trigger the race.

  • Victim interactionNot required

    No user or administrator action is required; the race is triggered purely by incoming network packets processed by the kernel.

  • Attack complexityDetail

    Attack complexity is HIGH, meaning the attacker must win a timing race between the route lookup and the concurrent FIB invalidation on a PREEMPT_RT kernel, which depends on specific scheduling and CPU concurrency conditions.

Blast Radius

  • A successful race causes a use-after-free on a freed per-CPU route struct, giving the attacker the ability to read arbitrary kernel memory including sensitive routing state and potentially credentials cached in kernel structures.
  • The attacker can corrupt kernel memory by writing through the dangling pointer, enabling modification of routing tables, network policy structures, or other kernel data.
  • The kernel can be crashed outright through the invalid memory reference, causing a denial of service and dropping all traffic on the affected host.
  • On kernels with insufficient KASLR or SMEP mitigations, memory corruption may be escalated to arbitrary code execution in kernel context.

How HarborGuard Handles This

Available on HarborGuard: detection runs automatically against all images in connected registries and pipelines, matching kernel package versions against the affected range (upstream of 6.6.140, 6.12.86, and 6.18.27 depending on the stable branch in use). For customers who opt into auto-remediation, HarborGuard rebuilds the image at the appropriate patched kernel version, executes the configured regression suite, and opens a PR against affected workloads; for high-severity issues, median time from publication to merged PR is around 90 minutes. Where compliance policy does not permit auto-remediation, the finding appears in the HarborGuard dashboard with CVSS 8.1 HIGH priority for manual review. As an interim compensating control, restricting external IPv6 traffic to seg6 or rpl lwtunnel endpoints via network policy reduces the over-the-network attack surface until patched images are promoted to production.

See how HarborGuard automates this

Metrics

CVSS v3.1
8.1
Severity
HIGH
Fixed in
0
Affected Products
2

Fix available

052f9db67f8f35f436366cf4980b4f0a2583d0ef06.6.1406.12.866.18.276bd17925bd6866027a6555db17905b9fc073d38d7.0.47.1-rc29dd5481f960e337b81d7dfe429529495c1c481c0b778b6d095421619c331fd2d7751143cd5387103f9c52a6ba9780bd27e0bf4c044fd91c13c778b6e
Affected packages
  • Linux / Linux
    < 6bd17925bd6866027a6555db17905b9fc073d38d (from af4a2209b1344939eaac11f269c261d347cbc3ee) · < 52f9db67f8f35f436366cf4980b4f0a2583d0ef0 (from af4a2209b1344939eaac11f269c261d347cbc3ee) · < b778b6d095421619c331fd2d7751143cd5387103 (from af4a2209b1344939eaac11f269c261d347cbc3ee) · < 9dd5481f960e337b81d7dfe429529495c1c481c0 (from af4a2209b1344939eaac11f269c261d347cbc3ee) · < f9c52a6ba9780bd27e0bf4c044fd91c13c778b6e (from af4a2209b1344939eaac11f269c261d347cbc3ee)
  • Linux / Linux
    4.12
    Fixed in 0, 6.6.140, 6.12.86, 6.18.27, 7.0.4, 7.1-rc2
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
References