CVE-2026-46172: Linux Kernel IPv6 IPsec Memory Leak (Local DoS)
A memory leak vulnerability exists in the Linux kernel's IPv6 IPsec handling code. When the kernel processes certain incoming IPv6 packets with IPsec encapsulation, it performs a route lookup but fails to properly clean up a reference to the routing information in error conditions. An attacker with local access could trigger this flaw repeatedly, exhausting kernel memory and causing a denial of service.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- —
- Affected products
- 3 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: ipv6: xfrm6: release dst on error in xfrm6_rcv_encap() xfrm6_rcv_encap() performs an IPv6 route lookup when the skb does not already have a dst attached. ip6_route_input_lookup() returns a referenced dst entry even when the lookup resolves to an error route. If dst->error is set, xfrm6_rcv_encap() drops the skb without attaching the dst to the skb and without releasing the reference returned by the lookup. Repeated packets hitting this path therefore leak dst entries. Release the dst before jumping to the drop path.
8 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability resides in xfrm6_rcv_encap() within the IPv6 IPsec decapsulation path. When a socket buffer (skb) lacks an attached destination cache entry, the function invokes ip6_route_input_lookup() to resolve the route. The ip6_route_input_lookup() function returns a referenced destination entry regardless of whether the lookup result points to an error route. The bug occurs in the error-handling path: if the returned dst->error field is set, xfrm6_rcv_encap() discards the packet without attaching the dst to the skb and critically, without releasing the reference obtained from the lookup. Repeated invocations of this error condition leak unreleased dst entries, gradually depleting kernel memory. The fix requires releasing the dst reference before jumping to the drop path.
Business impact
This vulnerability enables a local denial-of-service attack that degrades system availability. An unprivileged local user can exhaust kernel memory by repeatedly triggering the error condition, eventually forcing system instability, service interruptions, or a complete crash. In multi-tenant or shared-resource environments (containers, cloud instances), this becomes a noisy neighbor problem where one tenant impacts others. Organizations running exposed Linux systems with local user access or those operating virtualized infrastructure face material risk to uptime.
Affected systems
The Linux kernel is affected. The vulnerability exists in IPv6 IPsec handling (xfrm6 subsystem), making it relevant to systems with IPv6 and IPsec enabled, or systems running as network appliances or VPN gateways. The vulnerability is not present in systems where IPv6 is completely disabled, though this is uncommon in modern deployments. Affected systems depend on kernel version; verify your kernel version against the vendor advisory for specific patched releases.
Exploitability
Exploitability is local-only; the CVSS vector specifies AV:L (local attack vector), meaning an attacker must have already obtained local code execution or shell access on the target system. No network exploitation is possible. The attack is trivial to execute once local access is obtained—simply sending malformed IPv6 IPsec packets or triggering the error condition repeatedly via local tools. The barrier to exploitation is entirely the requirement for local system access, not technical complexity.
Remediation
Apply a patched kernel version provided by your Linux distribution or the kernel upstream. The upstream fix is a targeted change to xfrm6_rcv_encap() that adds a dst_release() call in the error path before discarding the packet. Contact your vendor (Red Hat, Canonical, SUSE, etc.) to identify the specific kernel version containing this fix for your distribution and architecture. Until a patch is applied, mitigate by restricting local system access to trusted users only and disabling IPsec on IPv6 if feasible in your environment.
Patch guidance
Wait for your Linux distribution's security advisory to confirm the patched kernel version. Kernel patches are typically released and tested before general availability; the distribution's security team ensures compatibility and integrity. Once available, install the patched kernel and reboot. Test thoroughly in a non-production environment first, as kernel updates carry inherent risk. Verify the update was successfully applied by confirming the kernel version after reboot. If using a cloud provider or container platform, check whether patches are automatically applied to your instances or images.
Detection guidance
Monitor kernel memory usage trends and watch for unusual spikes in memory consumption not correlated with application workload changes. Review kernel logs for dst reference count errors or memory allocation failures related to the IPv6 routing subsystem. Network intrusion detection is unhelpful since the attack is local-only. Focus detection on access logs—identify unexpected shell sessions, sudo usage, or container breakout attempts from unprivileged users. Kernel address sanitizers or memory leak detection tools (if enabled in debug builds) may flag the dst leak during testing.
Why prioritize this
This is a local denial-of-service vulnerability with medium severity (CVSS 5.5). Prioritize it based on your system's exposure to local users. If your servers are single-tenant, locked-down production systems with no shell access for unprivileged users, this poses lower risk. If you run multi-tenant platforms, containers, or systems where local user access is common, this is higher priority because the attack surface is larger and the business impact is direct. It is not as critical as network-exploitable flaws, but the memory exhaustion impact is reliable and difficult to detect in real time.
Risk score, explained
CVSS 5.5 (MEDIUM) reflects a high-availability impact (A:H—denial of service via resource exhaustion) but constrained attack vector (AV:L) and no impact on confidentiality or integrity. The scoring assumes an authenticated attacker with local privileges. The lack of CVSS temporal factors (KEV status, active exploitation) means the score is static, though local exploit development is trivial once code execution is achieved.
Frequently asked questions
Does this vulnerability require network access to exploit?
No. The vulnerability is local-only (AV:L in CVSS). An attacker must already have shell access or code execution on the target system. It cannot be exploited remotely over the network.
Which Linux systems are at risk?
Any system running a vulnerable kernel version with IPv6 and IPsec enabled. This includes routers, VPN appliances, cloud instances, and servers with IPsec VPN tunnel configurations. Systems with IPv6 completely disabled are not affected, but this is rare in production environments.
What is the practical impact of this memory leak?
Repeated triggering of the error condition causes kernel memory to leak and eventually become exhausted. The system then experiences slowdowns, service failures, or a complete crash. The attack requires repeated packet injection but is otherwise simple to execute.
How do I know if my kernel is patched?
Check your kernel version using `uname -r` and cross-reference it against your distribution's security advisory for CVE-2026-46172. The advisory will list patched kernel versions. Alternatively, compile the kernel source and inspect the xfrm6_rcv_encap() function to confirm the dst_release() fix is present in the error path.
This analysis is based on the CVE description and CVSS scoring provided as of the publication date. Verify patch availability and affected kernel versions directly with your Linux distribution's security advisory before deploying updates. No known public exploits were referenced in this analysis. This vulnerability requires local access; if your systems do not permit untrusted local users, risk is reduced but not eliminated. Test all kernel updates in non-production environments before rolling out to production. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Affected vendors
Related vulnerabilities
- CVE-2025-71313MEDIUMLinux Kernel PCI Endpoint NULL Pointer Dereference
- CVE-2025-71314MEDIUMLinux Panthor GPU Driver Denial of Service via Cache Flush Timeout
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10018MEDIUMInteger Overflow in Chrome ANGLE GPU Graphics Layer
- CVE-2026-10912MEDIUMChrome Extension Same-Origin Policy Bypass (CVSS 6.5)
- CVE-2026-10916MEDIUMChrome DevTools UXSS Vulnerability
- CVE-2026-10998MEDIUMChrome Media Out-of-Bounds Memory Read Vulnerability
- CVE-2026-11004MEDIUMChrome ANGLE Out-of-Bounds Read Memory Disclosure