Description
In the Linux kernel, the following vulnerability has been resolved:

ip6_gre: Use cached t->net in ip6erspan_changelink().

After commit 5e72ce3e3980 ("net: ipv6: Use link netns in newlink() of
rtnl_link_ops"), ip6erspan_newlink() correctly resolves the per-netns
ip6gre hash via link_net. ip6erspan_changelink() was not converted in
that series and still uses dev_net(dev), which diverges from the
device's creation netns after IFLA_NET_NS_FD migration.

This re-inserts the tunnel into the wrong per-netns hash. The
original netns keeps a stale entry. When that netns is later
destroyed, ip6gre_exit_rtnl_net() walks the stale entry, producing a
slab-use-after-free reported by KASAN, followed by a kernel BUG at
net/core/dev.c (LIST_POISON1) in unregister_netdevice_many_notify().

Reachable from an unprivileged user namespace (unshare --user
--map-root-user --net).

ip6gre_changelink() earlier in the same file already uses the cached
t->net; only ip6erspan_changelink() has the wrong shape.
Published: 2026-05-28
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from the function ip6erspan_changelink() using dev_net(dev) instead of the cached target network namespace, which causes a stale tunnel entry to be inserted into the wrong per‑namespace hash table. When the original network namespace is later destroyed, the stale entry is encountered and the kernel triggers a slab‑use‑after‑free detected by KASAN, followed by a BUG during device unregistration. The result is a kernel crash, which manifests as a denial‑of‑service condition.

Affected Systems

Any Linux kernel versions that include the ip6gre module before the integration of commit 5e72ce3e3980 are affected. This includes all distributions running such kernels with the ip6gre and ip6erspan features enabled, regardless of the distribution name or specific kernel release, until a kernel that incorporates the fix is deployed.

Risk and Exploitability

The EPSS data for this CVE is not available and the vulnerability is not listed in the CISA KEV catalogue. The logical attack path is reachable from an unprivileged user namespace created via tools such as unshare with the --user and --net options (inferred from the description). An attacker would need to create such a namespace, manipulate an ip6gre tunnel with ip6erspan_changelink(), then delete the original namespace to trigger the stale entry. This path leads to a kernel crash, providing an application‑level denial‑of‑service; there is no documented possibility of privilege escalation or remote code execution according to the current description. The severity appears high due to the kernel crash, but exploitation likelihood cannot be quantified due to missing EPSS metrics.

Generated by OpenCVE AI on May 28, 2026 at 13:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel update that includes commit 5e72ce3e3980 or later, ensuring ip6gre and ip6erspan use the correct network namespace handling.
  • If an immediate kernel update is not feasible, disable the ip6gre and ip6erspan modules or configure the system to avoid loading GRE tunnels in unprivileged user namespaces.
  • Restrict the creation of unprivileged user namespaces with network capabilities and monitor system logs for KASAN or kernel BUG messages, taking corrective action if such events are detected.

Generated by OpenCVE AI on May 28, 2026 at 13:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ip6_gre: Use cached t->net in ip6erspan_changelink(). After commit 5e72ce3e3980 ("net: ipv6: Use link netns in newlink() of rtnl_link_ops"), ip6erspan_newlink() correctly resolves the per-netns ip6gre hash via link_net. ip6erspan_changelink() was not converted in that series and still uses dev_net(dev), which diverges from the device's creation netns after IFLA_NET_NS_FD migration. This re-inserts the tunnel into the wrong per-netns hash. The original netns keeps a stale entry. When that netns is later destroyed, ip6gre_exit_rtnl_net() walks the stale entry, producing a slab-use-after-free reported by KASAN, followed by a kernel BUG at net/core/dev.c (LIST_POISON1) in unregister_netdevice_many_notify(). Reachable from an unprivileged user namespace (unshare --user --map-root-user --net). ip6gre_changelink() earlier in the same file already uses the cached t->net; only ip6erspan_changelink() has the wrong shape.
Title ip6_gre: Use cached t->net in ip6erspan_changelink().
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-28T09:35:35.385Z

Reserved: 2026-05-13T15:03:33.098Z

Link: CVE-2026-46120

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-28T10:16:27.497

Modified: 2026-05-28T13:44:01.663

Link: CVE-2026-46120

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T13:15:22Z

Weaknesses

No weakness.