Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-46099
PUBLISHED
More InfoOfficial Page
Assigner-Linux
Assigner Org ID-416baaa9-dc9f-4396-8d5f-8c081fb06d67
View Known Exploited Vulnerability (KEV) details
Published At-27 May, 2026 | 12:59
Updated At-30 Jun, 2026 | 12:10
Rejected At-
▼CVE Numbering Authority (CNA)
net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels

In the Linux kernel, the following vulnerability has been resolved: net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels seg6_input_core() and rpl_input() call ip6_route_input() which sets a NOREF dst on the skb, then pass it to dst_cache_set_ip6() invoking dst_hold() unconditionally. On PREEMPT_RT, ksoftirqd is preemptible and a higher-priority task can release the underlying pcpu_rt between the lookup and the caching through a concurrent FIB lookup on a shared nexthop. Simplified race sequence: ksoftirqd/X higher-prio task (same CPU X) ----------- -------------------------------- seg6_input_core(,skb)/rpl_input(skb) dst_cache_get() -> miss ip6_route_input(skb) -> ip6_pol_route(,skb,flags) [RT6_LOOKUP_F_DST_NOREF in flags] -> FIB lookup resolves fib6_nh [nhid=N route] -> rt6_make_pcpu_route() [creates pcpu_rt, refcount=1] pcpu_rt->sernum = fib6_sernum [fib6_sernum=W] -> cmpxchg(fib6_nh.rt6i_pcpu, NULL, pcpu_rt) [slot was empty, store succeeds] -> skb_dst_set_noref(skb, dst) [dst is pcpu_rt, refcount still 1] rt_genid_bump_ipv6() -> bumps fib6_sernum [fib6_sernum from W to Z] ip6_route_output() -> ip6_pol_route() -> FIB lookup resolves fib6_nh [nhid=N] -> rt6_get_pcpu_route() pcpu_rt->sernum != fib6_sernum [W <> Z, stale] -> prev = xchg(rt6i_pcpu, NULL) -> dst_release(prev) [prev is pcpu_rt, refcount 1->0, dead] dst = skb_dst(skb) [dst is the dead pcpu_rt] dst_cache_set_ip6(dst) -> dst_hold() on dead dst -> WARN / use-after-free For the race to occur, ksoftirqd must be preemptible (PREEMPT_RT without PREEMPT_RT_NEEDS_BH_LOCK) and a concurrent task must be able to release the pcpu_rt. Shared nexthop objects provide such a path, as two routes pointing to the same nhid share the same fib6_nh and its rt6i_pcpu entry. Fix seg6_input_core() and rpl_input() by calling skb_dst_force() after ip6_route_input() to force the NOREF dst into a refcounted one before caching. The output path is not affected as ip6_route_output() already returns a refcounted dst.

Affected Products
Vendor
Linux Kernel Organization, IncLinux
Product
Linux
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Program Files
  • net/ipv6/rpl_iptunnel.c
  • net/ipv6/seg6_iptunnel.c
Default Status
unaffected
Versions
Affected
  • From af4a2209b1344939eaac11f269c261d347cbc3ee before 51fef5a7c4d160839199e941929456ba21ddf73c (git)
  • From af4a2209b1344939eaac11f269c261d347cbc3ee before b258b849a580285a1692e782ebc902b44c884a71 (git)
  • From af4a2209b1344939eaac11f269c261d347cbc3ee before 6bd17925bd6866027a6555db17905b9fc073d38d (git)
  • From af4a2209b1344939eaac11f269c261d347cbc3ee before 52f9db67f8f35f436366cf4980b4f0a2583d0ef0 (git)
  • From af4a2209b1344939eaac11f269c261d347cbc3ee before b778b6d095421619c331fd2d7751143cd5387103 (git)
  • From af4a2209b1344939eaac11f269c261d347cbc3ee before 9dd5481f960e337b81d7dfe429529495c1c481c0 (git)
  • From af4a2209b1344939eaac11f269c261d347cbc3ee before f9c52a6ba9780bd27e0bf4c044fd91c13c778b6e (git)
Vendor
Linux Kernel Organization, IncLinux
Product
Linux
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Program Files
  • net/ipv6/rpl_iptunnel.c
  • net/ipv6/seg6_iptunnel.c
Default Status
affected
Versions
Affected
  • 4.12
Unaffected
  • From 0 before 4.12 (semver)
  • From 5.15.209 through 5.15.* (semver)
  • From 6.1.175 through 6.1.* (semver)
  • From 6.6.140 through 6.6.* (semver)
  • From 6.12.86 through 6.12.* (semver)
  • From 6.18.27 through 6.18.* (semver)
  • From 7.0.4 through 7.0.* (semver)
  • From 7.1 through * (original_commit_for_fix)
Metrics
VersionBase scoreBase severityVector
3.18.1HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 8.1
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://git.kernel.org/stable/c/51fef5a7c4d160839199e941929456ba21ddf73c
N/A
https://git.kernel.org/stable/c/b258b849a580285a1692e782ebc902b44c884a71
N/A
https://git.kernel.org/stable/c/6bd17925bd6866027a6555db17905b9fc073d38d
N/A
https://git.kernel.org/stable/c/52f9db67f8f35f436366cf4980b4f0a2583d0ef0
N/A
https://git.kernel.org/stable/c/b778b6d095421619c331fd2d7751143cd5387103
N/A
https://git.kernel.org/stable/c/9dd5481f960e337b81d7dfe429529495c1c481c0
N/A
https://git.kernel.org/stable/c/f9c52a6ba9780bd27e0bf4c044fd91c13c778b6e
N/A
Hyperlink: https://git.kernel.org/stable/c/51fef5a7c4d160839199e941929456ba21ddf73c
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/b258b849a580285a1692e782ebc902b44c884a71
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/6bd17925bd6866027a6555db17905b9fc073d38d
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/52f9db67f8f35f436366cf4980b4f0a2583d0ef0
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/b778b6d095421619c331fd2d7751143cd5387103
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/9dd5481f960e337b81d7dfe429529495c1c481c0
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/f9c52a6ba9780bd27e0bf4c044fd91c13c778b6e
Resource: N/A
▼Authorized Data Publishers (ADP)
kernel: net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels

A flaw was found in the Linux kernel's IPv6 networking implementation, specifically within the `seg6` and `rpl` lwtunnels. A race condition can occur when handling destination cache entries, where a `NOREF` (no reference) destination object is used after it has been freed. This use-after-free vulnerability can lead to system instability or a denial of service (DoS) on systems configured with `PREEMPT_RT` (Preemptible Real-Time) kernel.

Affected Products
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Enterprise Linux 10
CPEs
  • cpe:/o:redhat:enterprise_linux:10
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Enterprise Linux 9
CPEs
  • cpe:/o:redhat:enterprise_linux:9
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Enterprise Linux 6
CPEs
  • cpe:/o:redhat:enterprise_linux:6
Default Status
unaffected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Enterprise Linux 7
CPEs
  • cpe:/o:redhat:enterprise_linux:7
Default Status
unaffected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Enterprise Linux 8
CPEs
  • cpe:/o:redhat:enterprise_linux:8
Default Status
unaffected
Problem Types
TypeCWE IDDescription
CWECWE-911Improper Update of Reference Count
Type: CWE
CWE ID: CWE-911
Description: Improper Update of Reference Count
Metrics
VersionBase scoreBase severityVector
3.17.0HIGH
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 7.0
Base severity: HIGH
Vector:
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Red Hat severity rating
value:
Important
namespace:
https://access.redhat.com/security/updates/classification/
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Reported to Red Hat.2026-05-27 00:00:00
Made public.2026-05-27 00:00:00
Event: Reported to Red Hat.
Date: 2026-05-27 00:00:00
Event: Made public.
Date: 2026-05-27 00:00:00
Replaced By

Rejected Reason

References
HyperlinkResource
https://access.redhat.com/security/cve/CVE-2026-46099
vdb-entry
x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2481972
issue-tracking
x_refsource_REDHAT
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46099.json
x_sadp-csaf-vex
Hyperlink: https://access.redhat.com/security/cve/CVE-2026-46099
Resource:
vdb-entry
x_refsource_REDHAT
Hyperlink: https://bugzilla.redhat.com/show_bug.cgi?id=2481972
Resource:
issue-tracking
x_refsource_REDHAT
Hyperlink: https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46099.json
Resource:
x_sadp-csaf-vex
Details not found