HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-46260Published Modified CNA Linux

CVE-2026-46260: ipv6: Fix out-of-bound access in fib6_add_rt2node().

In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix out-of-bound access in fib6_add_rt2node(). syzbot reported out-of-bound read in fib6_add_rt2node(). [0] When IPv6 route is created with RTA_NH_ID, struct fib6_info does not have the trailing struct fib6_nh. The cited commit started to check !iter->fib6_nh->fib_nh_gw_family to ensure that rt6_qualify_for_ecmp() will return false for iter. If iter->nh is not NULL, rt6_qualify_for_ecmp() returns false anyway. Let's check iter->nh before reading iter->fib6_nh and avoid OOB read. [0]: BUG: KASAN: slab-out-of-bounds in fib6_add_rt2node+0x349c/0x3500 net/ipv6/ip6_fib.c:1142 Read of size 1 at addr ffff8880384ba6de by task syz.0.18/5500 CPU: 0 UID: 0 PID: 5500 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xba/0x230 mm/kasan/report.c:482 kasan_report+0x117/0x150 mm/kasan/report.c:595 fib6_add_rt2node+0x349c/0x3500 net/ipv6/ip6_fib.c:1142 fib6_add_rt2node_nh net/ipv6/ip6_fib.c:1363 [inline] fib6_add+0x910/0x18c0 net/ipv6/ip6_fib.c:1531 __ip6_ins_rt net/ipv6/route.c:1351 [inline] ip6_route_add+0xde/0x1b0 net/ipv6/route.c:3957 inet6_rtm_newroute+0x268/0x19e0 net/ipv6/route.c:5660 rtnetlink_rcv_msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958 netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] ____sys_sendmsg+0xa68/0xad0 net/socket.c:2592 ___sys_sendmsg+0x2a5/0x360 net/socket.c:2646 __sys_sendmsg net/socket.c:2678 [inline] __do_sys_sendmsg net/socket.c:2683 [inline] __se_sys_sendmsg net/socket.c:2681 [inline] __x64_sys_sendmsg+0x1bd/0x2a0 net/socket.c:2681 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f9316b9aeb9 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffd8809b678 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f9316e15fa0 RCX: 00007f9316b9aeb9 RDX: 0000000000000000 RSI: 0000200000004380 RDI: 0000000000000003 RBP: 00007f9316c08c1f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f9316e15fac R14: 00007f9316e15fa0 R15: 00007f9316e15fa0 </TASK> Allocated by task 5499: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 poison_kmalloc_redzone mm/kasan/common.c:398 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415 kasan_kmalloc include/linux/kasan.h:263 [inline] __do_kmalloc_node mm/slub.c:5657 [inline] __kmalloc_noprof+0x40c/0x7e0 mm/slub.c:5669 kmalloc_noprof include/linux/slab.h:961 [inline] kzalloc_noprof include/linux/slab.h:1094 [inline] fib6_info_alloc+0x30/0xf0 net/ipv6/ip6_fib.c:155 ip6_route_info_create+0x142/0x860 net/ipv6/route.c:3820 ip6_route_add+0x49/0x1b0 net/ipv6/route.c:3949 inet6_rtm_newroute+0x268/0x19e0 net/ipv6/route.c:5660 rtnetlink_rcv_msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958 netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] ____sys_sendmsg+0xa68/0xad0 net/socket.c:2592 ___sys_s ---truncated---

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
0
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An out-of-bounds read vulnerability exists in the Linux kernel's IPv6 routing code, specifically in the fib6_add_rt2node() function within net/ipv6/ip6_fib.c. An attacker with a local shell and a low-privilege account can trigger the bug by creating an IPv6 route with a next-hop ID (RTA_NH_ID), causing the kernel to read one byte past the end of an allocated slab object. Successful exploitation gives the attacker read access to kernel memory, write access to kernel memory, and the ability to crash or destabilize the affected system. Patched-image rebuilds at the fix versions (6.6.128 and 6.12.75, among others) are available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection of CVE-2026-46260 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle affected Linux kernel versions.

Available
Triage

HarborGuard scores this CVE at 7.8 HIGH (CVSS v3.1) and weights it against each environment's compliance policy to determine urgency before routing the finding to the appropriate team inbox within the customer org.

Available
Patch

A patched-image rebuild at the fix versions (6.6.128, 6.12.75, and the associated upstream commits) becomes available on HarborGuard once an image containing an affected kernel is matched. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network exposure is required to trigger the vulnerable code path.

  • AuthenticationRequired

    Any low-privilege local account is sufficient to issue the netlink route-creation call that reaches fib6_add_rt2node().

  • Victim interactionNot required

    No user interaction is needed; the attacker triggers the out-of-bounds read entirely through their own syscalls.

  • Attack complexityDetail

    Exploit complexity is low: no race conditions or special memory layout are required, and the trigger (creating a route with RTA_NH_ID) is a straightforward, reliable operation.

Blast Radius

  • Reads one byte of kernel slab memory past an allocated object boundary, which can expose sensitive kernel data such as adjacent heap contents.
  • With kernel memory write primitives reachable from this class of KASAN slab-out-of-bounds bug, an attacker may overwrite adjacent kernel structures to escalate privileges or bypass security controls.
  • Repeated or malformed triggering of the invalid memory access can panic or destabilize the kernel, bringing down all workloads on the affected node.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication for any image whose kernel version falls in the affected range, covering both upstream base images and custom-built images. This CVE is rated HIGH (7.8) and carries a local privilege-escalation profile, so it is weighted accordingly against compliance policy thresholds during triage and routed to the relevant team without manual intervention. Fix versions 6.6.128, 6.12.75, and the associated upstream commit SHAs are available as rebuild targets; where auto-remediation is enabled, HarborGuard rebuilds the image at the patched version, runs a regression test, and opens a pull request against affected workloads. For high-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Customers who have not yet opted into auto-remediation can apply the fix manually by updating to a patched kernel version and rebuilding; in the interim, restricting local user accounts from creating IPv6 routes via network namespace isolation or Linux capability controls (specifically CAP_NET_ADMIN) reduces exposure.

See how HarborGuard automates this

Fix available

003b5051e02f5a3772eee57493ad697d4b505b0c2500e54615c97bc3c427e52305a6fcd38a0e008a36.6.1286.12.756.18.146.19.47.08244f959e2c125c849e569f5b23ed49804cce695bcc60ad129ae1837cf809c81bff56ec8bfdb6b11bf5009a06e03ee9a51052bb59f2228a5e4e66260
Affected packages
  • Linux / Linux
    < bcc60ad129ae1837cf809c81bff56ec8bfdb6b11 (from 50b7c7a255858a85c4636a1e990ca04591153dca) · < bf5009a06e03ee9a51052bb59f2228a5e4e66260 (from d8143c54ceeba232dc8a13aa0afa14a44b371d93) · < 03b5051e02f5a3772eee57493ad697d4b505b0c2 (from b8ad2d53f706aeea833d23d45c0758398fede580) · < 500e54615c97bc3c427e52305a6fcd38a0e008a3 (from bbf4a17ad9ffc4e3d7ec13d73ecd59dea149ed25) · < 8244f959e2c125c849e569f5b23ed49804cce695 (from bbf4a17ad9ffc4e3d7ec13d73ecd59dea149ed25) · < 6.6.128 (from 6.6.124)
  • Linux / Linux
    6.19
    Fixed in 0, 6.6.128, 6.12.75, 6.18.14, 6.19.4, 7.0
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References