PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46120 Linux CVE debrief

A use-after-free vulnerability exists in the Linux kernel's IPv6 ERSPAN tunnel implementation (ip6_gre). The ip6erspan_changelink() function incorrectly uses dev_net(dev) instead of the cached t->net when re-inserting tunnel entries into per-netns hash tables. This causes a namespace mismatch after IFLA_NET_NS_FD migration: the tunnel is inserted into the wrong namespace's hash while leaving a stale entry in the original namespace. When the original namespace is destroyed, ip6gre_exit_rtnl_net() traverses the stale entry, triggering KASAN-reported slab-use-after-free and a kernel BUG at net/core/dev.c. The vulnerability is reachable from unprivileged user namespaces.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-30
Advisory published
2026-05-28
Advisory updated
2026-05-30

Who should care

Linux kernel maintainers, container platform operators, cloud providers offering nested virtualization or user namespaces, security teams monitoring kernel networking subsystems

Technical summary

The ip6erspan_changelink() function in net/ipv6/ip6_gre.c fails to use the cached tunnel netns (t->net) when updating tunnel hash entries, instead calling dev_net(dev). After a network namespace migration via IFLA_NET_NS_FD, this causes the tunnel to be inserted into the destination namespace's hash while a stale pointer remains in the original namespace's hash. Namespace destruction then triggers use-after-free when walking the stale hash entry, with KASAN detecting slab corruption and LIST_POISON1 triggering a kernel BUG. The fix aligns ip6erspan_changelink() with ip6gre_changelink() by using the cached t->net.

Defensive priority

high

Recommended defensive actions

  • Apply kernel patches from stable branches (commits 1d324c2f43f70c965f25c58cc3611c779adbe47e, 311fdd26eb4443d43b909cc67a10f3a5fd1b21b2, cf7fc624329e76c6394653d12353e1d033adea91, e70cfb40c3a99b232cd42c6a6a10f0d8e039dc82, e

Evidence notes

Vulnerability description confirms root cause: ip6erspan_changelink() uses dev_net(dev) rather than cached t->net, diverging from ip6erspan_newlink() behavior after commit 5e72ce3e3980. Five kernel.org stable commits provided as patches. KASAN detection and kernel BUG at LIST_POISON1 confirm memory corruption. Unprivileged user namespace access confirmed in description.

Official resources

2026-05-28