PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46099 Linux CVE debrief

A use-after-free vulnerability exists in the Linux kernel's IPv6 Segment Routing (seg6) and RPL (IPv6 Routing Protocol for Low-Power and Lossy Networks) lightweight tunnel implementations. The flaw occurs when `seg6_input_core()` and `rpl_input()` call `ip6_route_input()`, which sets a NOREF destination on the socket buffer (skb), then pass it to `dst_cache_set_ip6()` which invokes `dst_hold()` unconditionally. On PREEMPT_RT kernels where ksoftirqd is preemptible, a race condition can occur: a higher-priority task on the same CPU can release the underlying per-CPU route (pcpu_rt) between the lookup and caching operations through a concurrent FIB lookup on a shared nexthop. This results in `dst_hold()` being called on a dead destination, triggering a warning and potential use-after-free. The vulnerability specifically requires PREEMPT_RT without PREEMPT_RT_NEEDS_BH_LOCK and shared nexthop objects that allow concurrent access to the same fib6_nh structure. The fix converts the NOREF destination to a refcounted one by calling `skb_dst_force()` after `ip6_route_input()` before caching.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Organizations running Linux kernels with PREEMPT_RT enabled and using IPv6 Segment Routing (SRv6) or RPL protocols; network infrastructure providers with shared nexthop configurations; real-time embedded systems with IPv6 networking stacks

Technical summary

The vulnerability stems from improper handling of NOREF destinations in IPv6 input path lightweight tunnels. When `ip6_route_input()` sets a NOREF destination on an skb, the subsequent unconditional `dst_hold()` in `dst_cache_set_ip6()` assumes the destination remains valid. However, on PREEMPT_RT systems, the gap between route lookup and caching is preemptible. A concurrent FIB lookup from a higher-priority task can observe a stale per-CPU route (detected via fib6_sernum mismatch), release it via `dst_release()`, and leave the original task with a dangling pointer. The fix ensures proper reference counting by forcing the NOREF destination to become refcounted before caching operations.

Defensive priority

high

Recommended defensive actions

  • Apply kernel patches from stable branches when available
  • Prioritize patching systems running PREEMPT_RT kernels with IPv6 Segment Routing or RPL enabled
  • Monitor for kernel warnings related to dst_hold() on dead destinations
  • Consider disabling IPv6 SR or RPL if not required as interim mitigation
  • Review systems using shared nexthop objects with IPv6 routes

Evidence notes

Vulnerability description confirms race condition in seg6_input_core() and rpl_input() functions. Affected code paths involve NOREF destination handling with dst_cache_set_ip6(). Race requires PREEMPT_RT with preemptible ksoftirqd and shared nexthop objects. Fix involves skb_dst_force() call to convert NOREF to refcounted destination.

Official resources

2026-05-27