CRITICAL Published 2026-04-24

seg6 DstCache Race

CVE-2026-31668

CVSS 9.8 / 10.0 NVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

KernelScan AI7.5HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: seg6: separate dst_cache for input and output paths in seg6 lwtunnel The seg6 lwtunnel uses a single dst_cache per encap route, shared between seg6_input_core() and seg6_output_core(). These two paths can perform the post-encap SID lookup in different routing contexts (e.g., ip rules matching on the ingress interface, or VRF table separation). Whichever path runs first populates the cache, and the other reuses it blindly, bypassing its own lookup. Fix this by splitting the cache into cache_input and cache_output, so each path maintains its own cached dst independently.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

Systems using IPv6 Segment Routing (SRv6) with lightweight tunnels may experience incorrect packet routing due to cache pollution between input and output paths. A remote, unauthenticated attacker can exploit this by sending IPv6 traffic that causes the shared dst_cache to be populated with a destination from one routing context (e.g., input path), which is then incorrectly reused by the other path (e.g., output path). This causes traffic to be routed using the wrong routing context, potentially bypassing network security policies, VRF isolation, or ip rules based on the ingress interface.

Affectednet/ipv6/seg6_iptunnel.c (IPv6 Segment Routing)

Vulnerability analysis

The vulnerability stems from a shared dst_cache between seg6_input_core() and seg6_output_core() functions in the SRv6 lightweight tunnel implementation. Both paths perform post-encapsulation SID lookups but may operate in different routing contexts (different VRF tables, ip rules based on ingress interface). Because the cache is shared, whichever path executes first on a given CPU populates the cache, causing the second path to reuse the cached destination without performing its own context-appropriate lookup. The fix splits the cache into separate cache_input and cache_output structures. An attacker can trigger this remotely by sending IPv6 SRv6 packets to the target system (input path) and/or causing traffic to be routed through the SRv6 tunnel (output path). No privileges are required beyond the ability to send IPv6 packets to a system with SRv6 configured.

03Fix Versions

Branch	Fixed in	Patch commit
5.10	5.10.253	`1dec91d3b1ce`
5.15	5.15.203	`750569d6987a`
6.1	6.1.169	`57d0374d14fa`
6.12	6.12.82	`6305ad032b03`
6.18	6.18.23	`fb56de5d9921`
6.19	6.19.13	`17d87d42874f`
6.6	6.6.135	`84d458018b14`
mainline	7.0	`c3812651b522`