CVE-2026-45847 Linux CVE debrief

Who should care

Linux system administrators running kernels with IPIP tunnel support, particularly those with complex network topologies or nested tunnel configurations

Technical summary

The Linux kernel contained a WARN_ON_ONCE assertion in the networking forward path array access code. With the addition of IPIP tunnel support, userspace could construct network configurations with sufficiently long forward paths that would trigger this warning. While not a security vulnerability in the traditional sense (no memory corruption or privilege escalation), the warning could cause log spam and potential operational issues. The resolution removes the WARN_ON_ONCE entirely. Multiple stable kernel branches received backports of this fix.

Defensive priority

medium

Recommended defensive actions

• Apply kernel updates from your Linux distribution that include the referenced stable commits
• Monitor for kernel package updates addressing this issue
• Review IPIP tunnel configurations for unusual forward path lengths

Evidence notes

The CVE description indicates this was a code quality fix to remove a WARN_ON_ONCE that could be triggered by valid IPIP tunnel configurations. Multiple stable kernel commits are referenced, suggesting backports to various kernel versions.

Official resources