{
  "affected": [
    {
      "ranges": [
        {
          "events": [
            {
              "introduced": "af4a2209b1344939eaac11f269c261d347cbc3ee"
            },
            {
              "fixed": "51fef5a7c4d160839199e941929456ba21ddf73c"
            },
            {
              "fixed": "b258b849a580285a1692e782ebc902b44c884a71"
            },
            {
              "fixed": "6bd17925bd6866027a6555db17905b9fc073d38d"
            },
            {
              "fixed": "52f9db67f8f35f436366cf4980b4f0a2583d0ef0"
            },
            {
              "fixed": "b778b6d095421619c331fd2d7751143cd5387103"
            },
            {
              "fixed": "9dd5481f960e337b81d7dfe429529495c1c481c0"
            },
            {
              "fixed": "f9c52a6ba9780bd27e0bf4c044fd91c13c778b6e"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Linux",
        "name": "Kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.12.0"
            },
            {
              "fixed": "5.15.209"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "5.16.0"
            },
            {
              "fixed": "6.1.175"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.2.0"
            },
            {
              "fixed": "6.6.140"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.7.0"
            },
            {
              "fixed": "6.12.86"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.13.0"
            },
            {
              "fixed": "6.18.27"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.19.0"
            },
            {
              "fixed": "7.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46099.json"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels\n\nseg6_input_core() and rpl_input() call ip6_route_input() which sets a\nNOREF dst on the skb, then pass it to dst_cache_set_ip6() invoking\ndst_hold() unconditionally.\nOn PREEMPT_RT, ksoftirqd is preemptible and a higher-priority task can\nrelease the underlying pcpu_rt between the lookup and the caching\nthrough a concurrent FIB lookup on a shared nexthop.\nSimplified race sequence:\n\n  ksoftirqd/X                       higher-prio task (same CPU X)\n  -----------                       --------------------------------\n  seg6_input_core(,skb)/rpl_input(skb)\n    dst_cache_get()\n      -\u003e miss\n    ip6_route_input(skb)\n      -\u003e ip6_pol_route(,skb,flags)\n         [RT6_LOOKUP_F_DST_NOREF in flags]\n        -\u003e FIB lookup resolves fib6_nh\n           [nhid=N route]\n        -\u003e rt6_make_pcpu_route()\n           [creates pcpu_rt, refcount=1]\n             pcpu_rt-\u003esernum = fib6_sernum\n             [fib6_sernum=W]\n           -\u003e cmpxchg(fib6_nh.rt6i_pcpu,\n                      NULL, pcpu_rt)\n              [slot was empty, store succeeds]\n      -\u003e skb_dst_set_noref(skb, dst)\n         [dst is pcpu_rt, refcount still 1]\n\n                                    rt_genid_bump_ipv6()\n                                      -\u003e bumps fib6_sernum\n                                         [fib6_sernum from W to Z]\n                                    ip6_route_output()\n                                      -\u003e ip6_pol_route()\n                                        -\u003e FIB lookup resolves fib6_nh\n                                           [nhid=N]\n                                        -\u003e rt6_get_pcpu_route()\n                                             pcpu_rt-\u003esernum != fib6_sernum\n                                             [W \u003c\u003e Z, stale]\n                                          -\u003e prev = xchg(rt6i_pcpu, NULL)\n                                          -\u003e dst_release(prev)\n                                             [prev is pcpu_rt,\n                                              refcount 1-\u003e0, dead]\n\n    dst = skb_dst(skb)\n    [dst is the dead pcpu_rt]\n    dst_cache_set_ip6(dst)\n      -\u003e dst_hold() on dead dst\n      -\u003e WARN / use-after-free\n\nFor the race to occur, ksoftirqd must be preemptible (PREEMPT_RT without\nPREEMPT_RT_NEEDS_BH_LOCK) and a concurrent task must be able to release\nthe pcpu_rt. Shared nexthop objects provide such a path, as two routes\npointing to the same nhid share the same fib6_nh and its rt6i_pcpu\nentry.\n\nFix seg6_input_core() and rpl_input() by calling skb_dst_force() after\nip6_route_input() to force the NOREF dst into a refcounted one before\ncaching.\nThe output path is not affected as ip6_route_output() already returns a\nrefcounted dst.",
  "id": "CVE-2026-46099",
  "modified": "2026-07-16T03:30:56.252628960Z",
  "published": "2026-05-27T12:59:04.628Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/51fef5a7c4d160839199e941929456ba21ddf73c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/52f9db67f8f35f436366cf4980b4f0a2583d0ef0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6bd17925bd6866027a6555db17905b9fc073d38d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9dd5481f960e337b81d7dfe429529495c1c481c0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b258b849a580285a1692e782ebc902b44c884a71"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b778b6d095421619c331fd2d7751143cd5387103"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f9c52a6ba9780bd27e0bf4c044fd91c13c778b6e"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46099.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/security/cve/CVE-2026-46099"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46099.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46099"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481972"
    },
    {
      "type": "PACKAGE",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"
    }
  ],
  "schema_version": "1.8.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels"
}