CVE-2026-53221
Received Received - Intake
Linux Kernel IPv6 VTI Tunnel Matching Vulnerability

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup() In vti6_tnl_lookup(), when an exact match for a tunnel fails, the code falls back to searching for wildcard tunnels: - Tunnels matching the packet's local address, with any remote address wildcard remote). - Tunnels matching the packet's remote address, with any local address (wildcard local). However, vti6 stores all these different types of tunnels in the same hash table (ip6n->tnls_r_l) prone to hash collisions. The bug is that the fallback search loops in vti6_tnl_lookup() were missing checks to ensure that the candidate tunnel actually has a wildcard address.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53221
EUVD
EUVD-2026-39312
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's ip6_vti component, specifically in the function vti6_tnl_lookup(). When the function fails to find an exact match for a tunnel, it falls back to searching for wildcard tunnels that match either the packet's local address with any remote address or the packet's remote address with any local address.

The issue arises because all these different types of tunnels are stored in the same hash table, which is prone to hash collisions. The fallback search loops in vti6_tnl_lookup() do not properly check whether the candidate tunnel actually has a wildcard address, leading to incorrect tunnel matching.

Impact Analysis

This vulnerability in the Linux kernel's ip6_vti module can cause incorrect tunnel matching due to missing checks in the fallback search logic. As a result, packets may be incorrectly routed or matched to unintended tunnels, potentially leading to network communication issues or security risks related to improper tunnel handling.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53221. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart