CVE-2026-46099
Awaiting Analysis Awaiting Analysis - Queue
Use-After-Free in Linux Kernel IPv6 Routing

Publication date: 2026-05-27

Last updated on: 2026-06-01

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels seg6_input_core() and rpl_input() call ip6_route_input() which sets a NOREF dst on the skb, then pass it to dst_cache_set_ip6() invoking dst_hold() unconditionally. On PREEMPT_RT, ksoftirqd is preemptible and a higher-priority task can release the underlying pcpu_rt between the lookup and the caching through a concurrent FIB lookup on a shared nexthop. Simplified race sequence: ksoftirqd/X higher-prio task (same CPU X) ----------- -------------------------------- seg6_input_core(,skb)/rpl_input(skb) dst_cache_get() -> miss ip6_route_input(skb) -> ip6_pol_route(,skb,flags) [RT6_LOOKUP_F_DST_NOREF in flags] -> FIB lookup resolves fib6_nh [nhid=N route] -> rt6_make_pcpu_route() [creates pcpu_rt, refcount=1] pcpu_rt->sernum = fib6_sernum [fib6_sernum=W] -> cmpxchg(fib6_nh.rt6i_pcpu, NULL, pcpu_rt) [slot was empty, store succeeds] -> skb_dst_set_noref(skb, dst) [dst is pcpu_rt, refcount still 1] rt_genid_bump_ipv6() -> bumps fib6_sernum [fib6_sernum from W to Z] ip6_route_output() -> ip6_pol_route() -> FIB lookup resolves fib6_nh [nhid=N] -> rt6_get_pcpu_route() pcpu_rt->sernum != fib6_sernum [W <> Z, stale] -> prev = xchg(rt6i_pcpu, NULL) -> dst_release(prev) [prev is pcpu_rt, refcount 1->0, dead] dst = skb_dst(skb) [dst is the dead pcpu_rt] dst_cache_set_ip6(dst) -> dst_hold() on dead dst -> WARN / use-after-free For the race to occur, ksoftirqd must be preemptible (PREEMPT_RT without PREEMPT_RT_NEEDS_BH_LOCK) and a concurrent task must be able to release the pcpu_rt. Shared nexthop objects provide such a path, as two routes pointing to the same nhid share the same fib6_nh and its rt6i_pcpu entry. Fix seg6_input_core() and rpl_input() by calling skb_dst_force() after ip6_route_input() to force the NOREF dst into a refcounted one before caching. The output path is not affected as ip6_route_output() already returns a refcounted dst.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-01
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-46099
EUVD
EUVD-2026-32482
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux linux_kernel *
linux_kernel linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's IPv6 networking code, specifically in the seg6 and rpl lightweight tunnels. The issue arises because certain functions (seg6_input_core() and rpl_input()) call ip6_route_input(), which sets a NOREF destination (dst) on a socket buffer (skb). This NOREF dst is then passed to dst_cache_set_ip6(), which calls dst_hold() unconditionally.

On systems using the PREEMPT_RT patch (which makes kernel threads preemptible), a race condition can occur where a higher-priority task concurrently releases the underlying per-CPU routing structure (pcpu_rt) between the lookup and caching steps. This leads to a use-after-free condition because the dst pointer references a freed object.

The root cause is that the NOREF dst is not properly converted to a refcounted dst before caching, allowing the reference count to drop to zero and the object to be freed while still in use. The fix involves forcing the NOREF dst into a refcounted one by calling skb_dst_force() after ip6_route_input(), preventing the use-after-free.

Impact Analysis

This vulnerability can lead to a use-after-free condition in the Linux kernel's IPv6 networking stack. Such a condition can cause kernel crashes (kernel panics) or unpredictable behavior, potentially leading to denial of service (DoS).

Because it involves race conditions in kernel memory management, it might also be exploitable to execute arbitrary code or escalate privileges, although the description does not explicitly confirm exploitation beyond DoS.

Mitigation Strategies

The vulnerability is fixed by updating the Linux kernel to a version where seg6_input_core() and rpl_input() functions call skb_dst_force() after ip6_route_input() to ensure the NOREF dst is converted into a refcounted one before caching.

Therefore, the immediate mitigation step is to apply the kernel update or patch that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46099. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart