CVE-2026-31668

Vulnerability

Overview

The Linux kernel's seg6 (Segment Routing over IPv6) lightweight tunnel uses a single dst_cache per encap route, shared between the seg6_input_core() and seg6_output_core() functions. These two functions perform the post-encapsulation SID lookup in different routing contexts—for example, when ingress interface-based rules or VRF table separation are in use. Whichever function runs first populates the shared cache, and the other blindly reuses that cached route, bypassing its own context-specific lookup [1]. This design flaw causes incorrect routing decisions, which can be exploited to redirect or mishandle traffic.

Attack

Scenario

An attacker can exploit this vulnerability by sending crafted IPv6 packets that trigger the seg6 lwtunnel processing. No authentication is required, and the attack can be performed over the network. The shared dst_cache leads to the wrong destination cache being used, potentially allowing an attacker to cause packets to be forwarded to an unintended next-hop or processed in the wrong routing domain. This can be particularly critical in environments with multiple routing tables, VRFs, or policy-based routing [2].

Impact

Successful exploitation could lead to a denial-of-service condition, information disclosure (packets reaching an unintended destination), or in certain network configurations, bypass of security policies enforced by routing rules. The CVSS score of 9.8 reflects the critical nature of this vulnerability, as it allows an attacker to disrupt network traffic without privileges [3].

Mitigation

The fix splits the single dst_cache into two separate caches: cache_input and cache_output. Each path now maintains its own independent cached destination entry, ensuring correct routing context for both input and output operations [4]. Patches have been applied to the stable kernel tree, and administrators should update their kernels to the fixed versions as soon as possible.