HIGH
net/ipv6 Route Leak
CVE-2026-46172
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
01Description
In the Linux kernel, the following vulnerability has been resolved: ipv6: xfrm6: release dst on error in xfrm6_rcv_encap() xfrm6_rcv_encap() performs an IPv6 route lookup when the skb does not already have a dst attached. ip6_route_input_lookup() returns a referenced dst entry even when the lookup resolves to an error route. If dst->error is set, xfrm6_rcv_encap() drops the skb without attaching the dst to the skb and without releasing the reference returned by the lookup. Repeated packets hitting this path therefore leak dst entries. Release the dst before jumping to the drop path.
02KernelScan AI Analysis
Risk summary
Remote attackers can cause memory exhaustion by sending IPv6 packets that trigger routing errors in XFRM encapsulation processing. The leaked dst entries accumulate over time and can lead to system denial of service through memory depletion.
Vulnerability analysis
The vulnerability occurs in xfrm6_rcv_encap() when processing IPv6 packets for XFRM/IPsec encapsulation. When ip6_route_input_lookup() returns an error route (dst->error set), the function drops the packet but fails to release the dst reference count. Each malformed packet hitting this path leaks one dst entry. The fix adds dst_release(dst) before the drop path to properly manage the reference count. Attack surface includes any system with IPv6 and XFRM enabled that processes network packets.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.258 | a0721bcd7264 |
| 5.15 | 5.15.209 | a20b34f6e854 |
| 6.1 | 6.1.175 | 870560015ce6 |
| 6.12 | 6.12.88 | 554c9b090c8a |
| 6.18 | 6.18.30 | 9d5047782f9b |
| 6.6 | 6.6.140 | c2efc4956981 |
| 7.0 | 7.0.7 | 6a5eec0a2a0e |
| mainline | 7.1-rc3 | bc0fcb9823cd |