CVE-2026-46172 - Vulnerability Details

- ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()

Description

In the Linux kernel, the following vulnerability has been resolved:

ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()

xfrm6_rcv_encap() performs an IPv6 route lookup when the skb does not
already have a dst attached. ip6_route_input_lookup() returns a
referenced dst entry even when the lookup resolves to an error route.

If dst->error is set, xfrm6_rcv_encap() drops the skb without attaching
the dst to the skb and without releasing the reference returned by the
lookup. Repeated packets hitting this path therefore leak dst entries.

Release the dst before jumping to the drop path.

Published: 2026-05-28

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises from the IPv6 encapsulation handler in the Linux kernel failing to release a referenced destination entry when a route lookup error occurs. Each packet processed along this code path that encounters an error will leak a reference to the destination table, gradually consuming kernel memory and potentially degrading system performance or leading to eventual service disruption.

Affected Systems

All Linux kernel versions before the applied patch are affected. The problem manifests in the generic Linux kernel code base; no specific vendor or minor release is singled out in the advisory.

Risk and Exploitability

The CVSS score is 5.5, the EPSS score is < 1%, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is either local or remote delivery of specially crafted IPv6 encapsulated packets that trigger the lookup failure. Although the description does not mention direct code execution capabilities, repeated exploitation could lead to raw resource exhaustion, effectively denying legitimate use of networking services. Manipulating network traffic to reach the vulnerable code path would be the prerequisite for the leak to occur.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`0146dca70b877b73c5fd9c67912b8a0ca8a7bac7`	affected	< a0721bcd72641c32b281f227a94505b31cf54117
`0146dca70b877b73c5fd9c67912b8a0ca8a7bac7`	affected	< a20b34f6e854fe6f2aa82528fae7a88759919eb4
`0146dca70b877b73c5fd9c67912b8a0ca8a7bac7`	affected	< 870560015ce6e0d8f841c6a8aba33c44be52c727
`0146dca70b877b73c5fd9c67912b8a0ca8a7bac7`	affected	< c2efc4956981066df2fef1cc77391b523db6d8e4
`0146dca70b877b73c5fd9c67912b8a0ca8a7bac7`	affected	< 554c9b090c8ac5b1c5c507f4badf8d5d0c9c6e13
`0146dca70b877b73c5fd9c67912b8a0ca8a7bac7`	affected	< 9d5047782f9bd2829e529df69209bf3232eb561f
`0146dca70b877b73c5fd9c67912b8a0ca8a7bac7`	affected	< 6a5eec0a2a0e99ec9743cf8f1c4082178811d90a
`0146dca70b877b73c5fd9c67912b8a0ca8a7bac7`	affected	< bc0fcb9823cd0894934cf968b525c575833d7078

Linux

affected

Version	Status	Constraints
`5.8`	affected	—
`0`	unaffected	< 5.8
`5.10.258`	unaffected	≤ 5.10.*
`5.15.209`	unaffected	≤ 5.15.*
`6.1.175`	unaffected	≤ 6.1.*
`6.6.140`	unaffected	≤ 6.6.*
`6.12.88`	unaffected	≤ 6.12.*
`6.18.30`	unaffected	≤ 6.18.*
`7.0.7`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:7.1:rc1::::::
	cpe:2.3:o:linux:linux_kernel:7.1:rc2::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[0146dca70b877b73c5fd9c67912b8a0ca8a7bac7,c2efc4956981066df2fef1cc77391b523db6d8e4)`	affected	code_commit	—
`[0146dca70b877b73c5fd9c67912b8a0ca8a7bac7,554c9b090c8ac5b1c5c507f4badf8d5d0c9c6e13)`	affected	code_commit	—
`[0146dca70b877b73c5fd9c67912b8a0ca8a7bac7,9d5047782f9bd2829e529df69209bf3232eb561f)`	affected	code_commit	—
`[0146dca70b877b73c5fd9c67912b8a0ca8a7bac7,6a5eec0a2a0e99ec9743cf8f1c4082178811d90a)`	affected	code_commit	—
`[0146dca70b877b73c5fd9c67912b8a0ca8a7bac7,bc0fcb9823cd0894934cf968b525c575833d7078)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[5.8,*]`	affected	generic	—
`[0,5.8)`	unaffected	generic	—
`[6.6.140,6.7.0)`	unaffected	semver	—
`[6.12.88,6.13.0)`	unaffected	semver	—
`[6.18.30,6.19.0)`	unaffected	semver	—
`[7.0.7,7.1.0)`	unaffected	semver	—
`[7.1-rc3,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a release that includes the fix commit for xfrm6_rcv_encap, such as tapping the latest stable series.
If an upgrade is not immediately possible, block or filter IPv6 encapsulated traffic on the affected hosts to prevent the malicious packets that trigger the error route lookup.
Monitor kernel logs for repeated route lookup failures or abnormal destination table growth and consider tuning kernel memory limits or enabling kernel memory checkpointing to mitigate exhaustion before it impacts availability.

Generated by OpenCVE AI on June 10, 2026 at 22:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00128.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/554c9b090c8ac5b1c5c507f4badf8d5d0c9c6e13
https://git.kernel.org/stable/c/6a5eec0a2a0e99ec9743cf8f1c4082178811d90a
https://git.kernel.org/stable/c/870560015ce6e0d8f841c6a8aba33c44be52c727
https://git.kernel.org/stable/c/9d5047782f9bd2829e529df69209bf3232eb561f
https://git.kernel.org/stable/c/a0721bcd72641c32b281f227a94505b31cf54117
https://git.kernel.org/stable/c/a20b34f6e854fe6f2aa82528fae7a88759919eb4
https://git.kernel.org/stable/c/bc0fcb9823cd0894934cf968b525c575833d7078
https://git.kernel.org/stable/c/c2efc4956981066df2fef1cc77391b523db6d8e4
https://lore.kernel.org/linux-cve-announce/2026052827-CVE-2026-46172-92e0@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-46172
https://www.cve.org/CVERecord?id=CVE-2026-46172

History

Wed, 10 Jun 2026 21:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:o:linux:linux_kernel:7.1:rc1:::::: cpe:2.3:o:linux:linux_kernel:7.1:rc2::::::
Metrics	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Mon, 01 Jun 2026 17:00:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/870560015ce6e0d8f841c6a8aba33c44be52c727 https://git.kernel.org/stable/c/a0721bcd72641c32b281f227a94505b31cf54117 https://git.kernel.org/stable/c/a20b34f6e854fe6f2aa82528fae7a88759919eb4

Fri, 29 May 2026 03:15:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-401

Fri, 29 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-772
References		https://lore.kernel.org/linux-cve-announce/2026052827-CVE-2026-46172-92e0@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-46172 https://www.cve.org/CVERecord?id=CVE-2026-46172
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Thu, 28 May 2026 12:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-401

Thu, 28 May 2026 10:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ipv6: xfrm6: release dst on error in xfrm6_rcv_encap() xfrm6_rcv_encap() performs an IPv6 route lookup when the skb does not already have a dst attached. ip6_route_input_lookup() returns a referenced dst entry even when the lookup resolves to an error route. If dst->error is set, xfrm6_rcv_encap() drops the skb without attaching the dst to the skb and without releasing the reference returned by the lookup. Repeated packets hitting this path therefore leak dst entries. Release the dst before jumping to the drop path.
Title		ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/554c9b090c8ac5b1c5c507f4badf8d5d0c9c6e13 https://git.kernel.org/stable/c/6a5eec0a2a0e99ec9743cf8f1c4082178811d90a https://git.kernel.org/stable/c/9d5047782f9bd2829e529df69209bf3232eb561f https://git.kernel.org/stable/c/bc0fcb9823cd0894934cf968b525c575833d7078 https://git.kernel.org/stable/c/c2efc4956981066df2fef1cc77391b523db6d8e4

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-28T09:36:26.926Z

Updated: 2026-06-14T18:00:01.373Z

Reserved: 2026-05-13T15:03:33.103Z

Link: CVE-2026-46172

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-28T10:16:32.830

Modified: 2026-06-10T21:12:54.960

Link: CVE-2026-46172

Redhat

Severity : Moderate

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46172 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-10T22:45:27Z

Weaknesses

CWE-772
Missing Release of Resource after Effective Lifetime
NVD-CWE-noinfo

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object