PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46172 Linux CVE debrief

A memory leak vulnerability exists in the Linux kernel's IPv6 IPsec implementation. The function `xfrm6_rcv_encap()` in the IPv6 transform subsystem fails to release a destination cache (dst) entry reference when an error route is encountered during packet processing. Specifically, when `ip6_route_input_lookup()` returns an error route (indicated by `dst->error` being set), the code path jumps to a drop handler without either attaching the dst to the socket buffer or releasing the reference. This results in a reference count leak that can be triggered repeatedly by network traffic, leading to gradual memory exhaustion. The vulnerability affects systems processing IPv6 IPsec encapsulated traffic where route lookups fail. The fix adds a `dst_release()` call before the error path to properly decrement the reference count.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-28
Advisory published
2026-05-28
Advisory updated
2026-05-28

Who should care

System administrators running Linux kernels with IPv6 IPsec (XFRM) enabled; security teams monitoring for denial-of-service conditions via resource exhaustion; network operators handling IPv6 VPN or tunnel traffic

Technical summary

The vulnerability is located in `net/ipv6/xfrm6_input.c` in the `xfrm6_rcv_encap()` function. When processing IPv6 IPsec encapsulated packets, if no destination entry is attached to the socket buffer, the function performs a route lookup via `ip6_route_input_lookup()`. This function returns a referenced dst entry even when the lookup resolves to an error route (such as when no valid route exists). The code checks `dst->error` and jumps to a drop label if set, but fails to call `dst_release()` on the referenced entry before dropping. Since the dst is not attached to the skb (which would transfer ownership), the reference is leaked. Repeated packets hitting this error path cause cumulative memory leakage of dst structures. The fix inserts `dst_release(dst)` before the drop path, ensuring proper cleanup.

Defensive priority

medium

Recommended defensive actions

  • Apply kernel updates containing the referenced stable tree commits when available from your Linux distribution
  • Monitor for kernel memory usage anomalies on systems handling IPv6 IPsec traffic
  • Consider implementing network-level filtering to reduce exposure to malformed or routing-failure IPv6 IPsec packets if patching is delayed
  • Review system logs for indicators of repeated IPv6 IPsec processing failures that could trigger this leak
  • Validate that security monitoring tools can detect abnormal kernel memory growth patterns

Evidence notes

Vulnerability description sourced from official CVE record and NVD entry. Technical details confirmed through kernel commit messages in stable tree. The issue is a classic reference counting bug in network stack error handling paths. Multiple stable kernel commits indicate backports to affected versions.

Official resources

2026-05-28