CVE-2026-45905 Linux CVE debrief

Who should care

Linux system administrators running kernels with IPsec/XFRM policies enabled; security teams monitoring for kernel stability issues; network operators using dynamic address configuration on routers or VPN gateways

Technical summary

The vulnerability is a race condition in `icmp_route_lookup()` within the Linux kernel's IPv4 routing and XFRM (IPsec) framework. When processing ICMP error messages in reverse path mode, the function calls `ip_route_input()` to simulate the reverse packet's input path. If the destination address becomes local between the initial flow check and the route lookup (due to concurrent address configuration), `ip_route_input()` returns a LOCAL route with `dst.output` pointing to `ip_rt_bug`. Subsequent use of this route for ICMP output causes `dst_output()` to invoke `ip_rt_bug()`, triggering a kernel WARNING. The fix validates `rt2->rt_type` after `ip_route_input()` and rejects LOCAL routes, preventing invalid output route usage.

Defensive priority

medium

Recommended defensive actions

• Apply kernel updates from your Linux distribution that include the XFRM icmp_route_lookup fix
• Monitor kernel logs for ip_rt_bug warnings as indicators of potential trigger conditions
• Review systems using IPsec (XFRM) policies with ICMP error handling
• Prioritize patching on systems with dynamic address configuration where 'ip addr add' operations may occur during packet processing

Evidence notes

The vulnerability description is sourced from the official CVE record published 2026-05-27. Six kernel.org stable tree commits are referenced, indicating backports to multiple kernel versions. The issue was resolved in the Linux kernel with a fix that validates route type after reverse path lookup.

Official resources