How is CVE-2026-53221 exploited?

Network reachability (required): The attacker must reach the affected service over the network; the CVSS vector specifies AV:N, meaning no local or physical access is required. Authentication (not-required): No credentials or account of any privilege level are needed to trigger the vulnerability; PR:N confirms a fully unauthenticated attack path. Victim interaction (not-required): The attack is entirely attacker-driven and requires no action from any user on the target system; UI:N applies. Attack complexity (info): Exploitation is reliable and imposes no special environmental conditions or timing constraints; AC:L indicates a condition-free attack.

What is the impact of CVE-2026-53221?

A successful attacker reads arbitrary kernel memory, exposing credentials, cryptographic material, and other sensitive in-memory data. A successful attacker writes to kernel memory, allowing modification of network routing state, process credentials, or other persisted kernel structures. A successful attacker crashes the affected system, causing a full denial of service to all workloads running on the host. Because all three impact dimensions are rated High, a single exploit can chain disclosure, tampering, and disruption in one attack.

Back to search

CRITICALCVE-2026-53221Published 2026-06-25Modified 2026-06-28CNA Linux

CVE-2026-53221: ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup()

In the Linux kernel, the following vulnerability has been resolved: ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup() In vti6_tnl_lookup(), when an exact match for a tunnel fails, the code falls back to searching for wildcard tunnels: - Tunnels matching the packet's local address, with any remote address wildcard remote). - Tunnels matching the packet's remote address, with any local address (wildcard local). However, vti6 stores all these different types of tunnels in the same hash table (ip6n->tnls_r_l) prone to hash collisions. The bug is that the fallback search loops in vti6_tnl_lookup() were missing checks to ensure that the candidate tunnel actually has a wildcard address.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: 0
Affected Products: 2

HarborGuard Analysis

Synopsis

A tunnel-matching logic flaw in the Linux kernel's ip6_vti (IPv6 Virtual Tunnel Interface) driver allows an unauthenticated remote attacker to exploit incorrect wildcard address checks in vti6_tnl_lookup(). The vulnerability is reachable over the network with no authentication required and no user interaction needed. Successful exploitation gives an attacker full read, write, and crash capability against the affected system. Patched-image rebuilds at the fix versions are available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment. The CVE is ingested from upstream kernel security feeds within minutes of publication and matched against customer images, including custom-built images that bundle affected kernel versions, across all connected registries and CI pipelines.

Available

Triage

HarborGuard is capable of scoring this CVE at its CVSS v3.1 rating of 9.8 (Critical) and weighting it against each customer environment's compliance policy. Triage findings are routed automatically to the appropriate team inbox within each customer organization based on configured policy rules.

Available

Patch

A patched-image rebuild at the fix versions (5.10.259 and the referenced upstream commits) is available on HarborGuard for any environment found running an affected kernel version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against the affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the affected service over the network; the CVSS vector specifies AV:N, meaning no local or physical access is required.
AuthenticationNot required
No credentials or account of any privilege level are needed to trigger the vulnerability; PR:N confirms a fully unauthenticated attack path.
Victim interactionNot required
The attack is entirely attacker-driven and requires no action from any user on the target system; UI:N applies.
Attack complexityDetail
Exploitation is reliable and imposes no special environmental conditions or timing constraints; AC:L indicates a condition-free attack.

Blast Radius

A successful attacker reads arbitrary kernel memory, exposing credentials, cryptographic material, and other sensitive in-memory data.
A successful attacker writes to kernel memory, allowing modification of network routing state, process credentials, or other persisted kernel structures.
A successful attacker crashes the affected system, causing a full denial of service to all workloads running on the host.
Because all three impact dimensions are rated High, a single exploit can chain disclosure, tampering, and disruption in one attack.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-53221 is active across all connected registries and pipelines, matching images that bundle a Linux kernel older than the fix commits or 5.10.259. For environments where an affected kernel version is identified, a patched-image rebuild becomes available immediately upon fix-version ingestion. For customers who opt into auto-remediation, HarborGuard performs the rebuild, executes a regression run, and opens a pull request against affected workloads; for high-severity and critical issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit automatic remediation, HarborGuard surfaces the finding with full CVSS context and fix-version metadata so engineering teams can act directly. Given the Critical severity and unauthenticated network attack path, prioritizing network-policy isolation of hosts exposing vti6 tunnel endpoints is a recommended compensating control for any interval before the patched image is deployed.

See how HarborGuard automates this

Fix available

02abfb19bbb81958714ad1d43ebeb65b30394184b2fc7bc087cc7085368263d9d37bfe9a0bddd6a2d47fb3c2b4203556308e64354b3e78f2ce221d6465.10.2595.15.2106.1.1766.6.1436.12.946.18.367.0.137.190fd4513315ca07da99cfd8549d3e553a7160f0da5c0359f5cbc51a2e2b114d6041e0f3c73f903e9c327fa4fca31415431202e063767a7ae342e19c6f513f308cc4bdb4530d033431592ffbc29b7fca1fc657ac0767c49839b3ef0b08dc0953ca30883f8

Affected packages

Linux / Linux
< c327fa4fca31415431202e063767a7ae342e19c6 (from fbe68ee87522f6eaa10f9076c0a7117e1613f2f7) · < fc657ac0767c49839b3ef0b08dc0953ca30883f8 (from fbe68ee87522f6eaa10f9076c0a7117e1613f2f7) · < 47fb3c2b4203556308e64354b3e78f2ce221d646 (from fbe68ee87522f6eaa10f9076c0a7117e1613f2f7) · < f513f308cc4bdb4530d033431592ffbc29b7fca1 (from fbe68ee87522f6eaa10f9076c0a7117e1613f2f7) · < 90fd4513315ca07da99cfd8549d3e553a7160f0d (from fbe68ee87522f6eaa10f9076c0a7117e1613f2f7) · < 2abfb19bbb81958714ad1d43ebeb65b30394184b (from fbe68ee87522f6eaa10f9076c0a7117e1613f2f7)
Linux / Linux
3.19
Fixed in 0, 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, 7.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available