CVE-2026-46260: Linux Kernel IPv6 Routing Out-of-Bounds Read Vulnerability
A memory safety defect in the Linux kernel's IPv6 routing code allows a local attacker with unprivileged user permissions to read data outside allocated memory boundaries. The vulnerability exists in the `fib6_add_rt2node()` function when processing IPv6 routes created with a specific routing attribute (RTA_NH_ID). Under certain conditions, the kernel reads from memory that doesn't belong to the expected data structure, potentially exposing sensitive kernel data or triggering a crash. The flaw requires local system access and cannot be exploited remotely.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-125
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-06-17
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix out-of-bound access in fib6_add_rt2node(). syzbot reported out-of-bound read in fib6_add_rt2node(). [0] When IPv6 route is created with RTA_NH_ID, struct fib6_info does not have the trailing struct fib6_nh. The cited commit started to check !iter->fib6_nh->fib_nh_gw_family to ensure that rt6_qualify_for_ecmp() will return false for iter. If iter->nh is not NULL, rt6_qualify_for_ecmp() returns false anyway. Let's check iter->nh before reading iter->fib6_nh and avoid OOB read. [0]: BUG: KASAN: slab-out-of-bounds in fib6_add_rt2node+0x349c/0x3500 net/ipv6/ip6_fib.c:1142 Read of size 1 at addr ffff8880384ba6de by task syz.0.18/5500 CPU: 0 UID: 0 PID: 5500 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xba/0x230 mm/kasan/report.c:482 kasan_report+0x117/0x150 mm/kasan/report.c:595 fib6_add_rt2node+0x349c/0x3500 net/ipv6/ip6_fib.c:1142 fib6_add_rt2node_nh net/ipv6/ip6_fib.c:1363 [inline] fib6_add+0x910/0x18c0 net/ipv6/ip6_fib.c:1531 __ip6_ins_rt net/ipv6/route.c:1351 [inline] ip6_route_add+0xde/0x1b0 net/ipv6/route.c:3957 inet6_rtm_newroute+0x268/0x19e0 net/ipv6/route.c:5660 rtnetlink_rcv_msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958 netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] ____sys_sendmsg+0xa68/0xad0 net/socket.c:2592 ___sys_sendmsg+0x2a5/0x360 net/socket.c:2646 __sys_sendmsg net/socket.c:2678 [inline] __do_sys_sendmsg net/socket.c:2683 [inline] __se_sys_sendmsg net/socket.c:2681 [inline] __x64_sys_sendmsg+0x1bd/0x2a0 net/socket.c:2681 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f9316b9aeb9 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffd8809b678 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f9316e15fa0 RCX: 00007f9316b9aeb9 RDX: 0000000000000000 RSI: 0000200000004380 RDI: 0000000000000003 RBP: 00007f9316c08c1f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f9316e15fac R14: 00007f9316e15fa0 R15: 00007f9316e15fa0 </TASK> Allocated by task 5499: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 poison_kmalloc_redzone mm/kasan/common.c:398 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415 kasan_kmalloc include/linux/kasan.h:263 [inline] __do_kmalloc_node mm/slub.c:5657 [inline] __kmalloc_noprof+0x40c/0x7e0 mm/slub.c:5669 kmalloc_noprof include/linux/slab.h:961 [inline] kzalloc_noprof include/linux/slab.h:1094 [inline] fib6_info_alloc+0x30/0xf0 net/ipv6/ip6_fib.c:155 ip6_route_info_create+0x142/0x860 net/ipv6/route.c:3820 ip6_route_add+0x49/0x1b0 net/ipv6/route.c:3949 inet6_rtm_newroute+0x268/0x19e0 net/ipv6/route.c:5660 rtnetlink_rcv_msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958 netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] ____sys_sendmsg+0xa68/0xad0 net/socket.c:2592 ___sys_s ---truncated---
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46260 is a slab-out-of-bounds read vulnerability in net/ipv6/ip6_fib.c within the Linux kernel's IPv6 Forwarding Information Base (FIB) management code. The bug occurs when `fib6_add_rt2node()` processes route entries created via netlink with the RTA_NH_ID attribute. When such a route is created, the associated `fib6_info` structure is allocated without a trailing `fib6_nh` member. A recent kernel change introduced a check of `iter->fib6_nh->fib_nh_gw_family` without first validating that the `fib6_nh` member exists. If an iterator's `nh` field is non-NULL, the code should bypass this check entirely, but the current logic attempts to dereference `fib6_nh` regardless. This results in reading one byte beyond the allocated object, as reported by KASAN (Kernel Address Sanitizer) at offset 0xde in the slab allocation. The CVSS 3.1 score of 7.8 reflects high severity due to information disclosure and denial-of-service potential via a local, low-privilege attack vector with no user interaction required.
Business impact
Exploitation of this vulnerability could lead to unauthorized disclosure of sensitive kernel memory, potentially revealing cryptographic material, user credentials, or system configuration details. A local attacker could also reliably crash systems by triggering the out-of-bounds read, resulting in denial of service. For organizations running Linux on servers or containers, this translates to risk of privilege escalation chains (if disclosed data is leveraged), unplanned downtime, and potential compliance violations if sensitive data exposure occurs. The attack requires local system access, so the threat surface is primarily internal; however, containerized environments and multi-tenant cloud deployments face elevated risk if workload isolation is incomplete.
Affected systems
The Linux kernel is affected. The vulnerability appears in the IPv6 routing subsystem and is triggered during IPv6 route insertion operations via netlink. Any system running an affected Linux kernel version that processes IPv6 route configuration—whether via user-space routing daemons, container orchestration platforms, or manual `ip route` commands—is potentially vulnerable. The issue manifests during normal operation of IPv6 address management and does not require exotic or undocumented kernel configurations. Specific kernel versions containing this flaw should be verified against the official Linux kernel repository and vendor advisories (check your distribution's security announcements for precise affected versions and patch availability).
Exploitability
The vulnerability is exploitable by any unprivileged local user on the system. Exploitation does not require special capabilities, race conditions, or kernel features to be enabled. A user with basic shell access can trigger the vulnerable code path by attempting to add an IPv6 route with RTA_NH_ID via netlink (e.g., using standard `ip` command-line tools). The KASAN trace confirms the crash is triggered through normal netlink route insertion syscalls. The attack is deterministic and does not depend on ASLR or other probabilistic factors, making it reliable. No privilege escalation is required to reach the vulnerable code; however, the information disclosed or the denial-of-service outcome may facilitate further attacks by a local attacker seeking to escalate privileges or disrupt services.
Remediation
Update the Linux kernel to a version that includes the fix for this out-of-bounds read. The fix involves adding a check for `iter->nh != NULL` before dereferencing `iter->fib6_nh->fib_nh_gw_family` in the `fib6_add_rt2node()` function. This ensures that if a route entry's next-hop is managed externally (via RTA_NH_ID), the code path that inspects the inline `fib6_nh` member is skipped. Check your Linux distribution's security advisories and kernel release notes for the specific patched version number applicable to your deployment. Patched kernel versions should be available from your vendor (Red Hat, Canonical, SUSE, etc.) or the upstream Linux kernel project. Apply patches promptly, as local users are typically present in production environments.
Patch guidance
Coordinate with your infrastructure and release management teams to schedule kernel updates. Test the patched kernel in a staging environment that mirrors your production IPv6 configuration before rolling out to production systems. For systems running container orchestration (Kubernetes, Docker, etc.), ensure node kernel updates are applied during maintenance windows, as this may require node drains or brief restarts. For embedded systems or appliances using custom Linux kernels, consult your vendor for patched firmware or kernel builds. Verify the patch by confirming the presence of the `iter->nh` null check in the patched `net/ipv6/ip6_fib.c` source code (around line 1142). If your kernel version is not yet patched, consider temporary mitigation by restricting unprivileged netlink access via AppArmor, SELinux, or seccomp policies, though this is not a substitute for patching.
Detection guidance
Monitor kernel logs for KASAN warnings containing 'slab-out-of-bounds' and references to `fib6_add_rt2node` or `ip6_fib.c` if KASAN is enabled in your kernel build. If KASAN is not available, watch for unexpected kernel oops or crashes following IPv6 route configuration changes. In production, enable audit logging for netlink operations (auditctl rules targeting the netlink syscall) to correlate suspicious route changes with crash events. Correlate sudden restarts or kernel panics with local user activity on systems handling IPv6 routes. Use vulnerability scanning tools to identify systems running unpatched kernel versions by matching kernel version numbers against known-vulnerable ranges from your distribution vendor. Implement intrusion detection rules to flag repeated netlink route operations from unprivileged processes, which may indicate exploitation attempts.
Why prioritize this
This vulnerability merits high-priority patching because it is locally exploitable without privilege escalation, affects a core kernel subsystem (IPv6 routing) present in most modern Linux systems, and carries both information disclosure and denial-of-service risks. The out-of-bounds read exposes kernel memory, and the deterministic crash vector enables reliable denial of service. While the attack surface is limited to local users, the prevalence of multi-tenant environments, containerized workloads, and compromised user accounts makes local access more probable than in isolated systems. Organizations with strict uptime requirements or those handling sensitive data should treat this as high-priority. Systems in restricted, air-gapped environments with minimal local user activity may defer patching slightly, but should not leave the issue unaddressed for extended periods.
Risk score, explained
The CVSS 3.1 score of 7.8 (HIGH) reflects the combination of a local attack vector (AV:L) with low attack complexity (AC:L), requiring only low privileges (PR:L) and no user interaction (UI:N). The scope is unchanged (S:U), meaning the vulnerability does not affect resources outside the vulnerable component's scope. However, the impact is high across all three dimensions: confidentiality (C:H) due to information disclosure via out-of-bounds memory read, integrity (I:H) because a local attacker could corrupt kernel data structures to modify routing behavior or escalate privileges, and availability (A:H) due to the reliable denial-of-service crash. The score appropriately elevates this beyond a medium-severity issue because any local user can trigger the vulnerability, and the consequences span multiple security properties.
Frequently asked questions
Can this vulnerability be exploited remotely?
No. The vulnerability requires local system access and is triggered by unprivileged user operations on the local system (via netlink syscalls). Remote attackers cannot exploit this directly unless they first establish local code execution through another vulnerability.
What is RTA_NH_ID and why does it matter here?
RTA_NH_ID is a netlink routing attribute that allows external next-hop management for IPv6 routes. When this attribute is used, the kernel allocates a smaller `fib6_info` structure without an embedded `fib6_nh` member. The bug occurs because the code attempts to read from `fib6_nh` without checking whether it exists, causing an out-of-bounds read.
Will this crash my system immediately?
Not necessarily immediately, but triggering the vulnerable code path (adding an IPv6 route with RTA_NH_ID) will cause a kernel crash or KASAN warning on affected systems. The crash is reliable and repeatable, making it a denial-of-service vector rather than a rare, hard-to-reproduce issue.
What should I do if I cannot patch immediately?
Implement least-privilege principles to minimize local user access. Restrict unprivileged users' ability to modify network configuration via AppArmor, SELinux, or systemd policies that block netlink route operations. Monitor kernel logs closely for KASAN warnings or unexpected crashes. Prioritize patching for systems with high local user populations or multi-tenant deployments.
This analysis is provided for informational purposes to assist security professionals in vulnerability management and risk assessment. The information is based on publicly disclosed details, including the CVE description, CVSS scoring, and kernel bug reports. Specific patched kernel versions and vendor release schedules should be verified against official distribution advisories and the Linux kernel project. Patch availability and timelines vary by Linux distribution; consult Red Hat, Canonical, SUSE, and other vendors for your specific environment. This document does not constitute professional security advice; security decisions should be made in consultation with qualified security personnel and validated through your organization's change management and testing procedures. Exploitation details provided are for defensive awareness only; malicious use is prohibited. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10889HIGHCritical ANGLE Sandbox Escape in Google Chrome – Patch to 149.0.7827.53
- CVE-2026-10927HIGHChrome Sandbox Escape via Dawn Out-of-Bounds Read
- CVE-2026-10941HIGHSkia Out-of-Bounds Memory Vulnerability in Chrome – Urgent Patch Required
- CVE-2026-11015HIGHCritical Chrome WebGPU Out-of-Bounds Read Vulnerability
- CVE-2026-46130HIGHLinux Kernel dm-verity-fec Out-of-Bounds Read – Vulnerability Details
- CVE-2026-46133HIGHLinux RDMA/rxe Kernel Panic via Invalid Opcode DoS
- CVE-2026-46138HIGHLinux Bluetooth Kernel Out-of-Bounds Read and DoS Vulnerability
- CVE-2026-46140HIGHLinux Kernel Bluetooth btmtk Driver Memory Disclosure