CVE-2026-45847
Description
In the Linux kernel, the following vulnerability has been resolved:
net: remove WARN_ON_ONCE when accessing forward path array
Although unlikely, recent support for IPIP tunnels increases chances of reaching this WARN_ON_ONCE if userspace manages to build a sufficiently long forward path.
Remove it.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Remove WARN_ON_ONCE in Linux kernel IPIP tunnel forward path to avoid potential panic when userspace constructs a long forward path.
Vulnerability
A WARN_ON_ONCE exists in the Linux kernel's net subsystem when accessing the forward path array. Recent support for IPIP tunnels can increase the likelihood of triggering this warning if userspace builds a sufficiently long forward path. This affects the Linux kernel versions that include the IPIP tunnel changes.
Exploitation
An attacker with the ability to construct a long forward path in userspace can trigger the WARN_ON_ONCE. No authentication or special privileges are required if the attacker can configure IPIP tunnels, but detailed exploitation steps are not disclosed in the available references.
Impact
The WARN_ON_ONCE can cause a kernel warning message and, if the system is configured with panic_on_warn, a kernel panic, leading to denial of service. The exact impact depends on the system's kernel configuration.
Mitigation
The fix is available in the Linux kernel commit 9464ca7a6e56ad1ebf48b2ad5c16871edfad10c6. Users should apply the latest kernel updates from their distribution. No workarounds are mentioned in the available references.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
14008e7a7c293bnet: remove WARN_ON_ONCE when accessing forward path array
1 file changed · +1 −2
net/core/dev.c+1 −2 modifieddiff --git a/net/core/dev.c b/net/core/dev.c index 96f89eb797e891..096b3ff13f6b9b 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -744,7 +744,7 @@ static struct net_device_path *dev_fwd_path(struct net_device_path_stack *stack) { int k = stack->num_paths++; - if (WARN_ON_ONCE(k >= NET_DEVICE_PATH_STACK_MAX)) + if (k >= NET_DEVICE_PATH_STACK_MAX) return NULL; return &stack->path[k]; -- cgit 1.3-korg
9464ca7a6e56net: remove WARN_ON_ONCE when accessing forward path array
1 file changed · +1 −2
net/core/dev.c+1 −2 modifieddiff --git a/net/core/dev.c b/net/core/dev.c index 206194bb8fcadd..890535fa52be67 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -701,7 +701,7 @@ static struct net_device_path *dev_fwd_path(struct net_device_path_stack *stack) { int k = stack->num_paths++; - if (WARN_ON_ONCE(k >= NET_DEVICE_PATH_STACK_MAX)) + if (k >= NET_DEVICE_PATH_STACK_MAX) return NULL; return &stack->path[k]; -- cgit 1.3-korg
dcf9b3c90e55net: remove WARN_ON_ONCE when accessing forward path array
1 file changed · +1 −2
net/core/dev.c+1 −2 modifieddiff --git a/net/core/dev.c b/net/core/dev.c index 69bb7ac73d047a..c2ca0b45bd37de 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -695,7 +695,7 @@ static struct net_device_path *dev_fwd_path(struct net_device_path_stack *stack) { int k = stack->num_paths++; - if (WARN_ON_ONCE(k >= NET_DEVICE_PATH_STACK_MAX)) + if (k >= NET_DEVICE_PATH_STACK_MAX) return NULL; return &stack->path[k]; -- cgit 1.3-korg
548244c2f542net: remove WARN_ON_ONCE when accessing forward path array
1 file changed · +1 −2
net/core/dev.c+1 −2 modifieddiff --git a/net/core/dev.c b/net/core/dev.c index 977146a70b8c15..48abe997e6f3bd 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -750,7 +750,7 @@ static struct net_device_path *dev_fwd_path(struct net_device_path_stack *stack) { int k = stack->num_paths++; - if (WARN_ON_ONCE(k >= NET_DEVICE_PATH_STACK_MAX)) + if (k >= NET_DEVICE_PATH_STACK_MAX) return NULL; return &stack->path[k]; -- cgit 1.3-korg
959ea349c7e2net: remove WARN_ON_ONCE when accessing forward path array
1 file changed · +1 −2
net/core/dev.c+1 −2 modifieddiff --git a/net/core/dev.c b/net/core/dev.c index 1d276a26a360de..553317ad6f1b4e 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -720,7 +720,7 @@ static struct net_device_path *dev_fwd_path(struct net_device_path_stack *stack) { int k = stack->num_paths++; - if (WARN_ON_ONCE(k >= NET_DEVICE_PATH_STACK_MAX)) + if (k >= NET_DEVICE_PATH_STACK_MAX) return NULL; return &stack->path[k]; -- cgit 1.3-korg
50422613185dnet: remove WARN_ON_ONCE when accessing forward path array
1 file changed · +1 −2
net/core/dev.c+1 −2 modifieddiff --git a/net/core/dev.c b/net/core/dev.c index 5b536860138d19..ff70c902a4196b 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -738,7 +738,7 @@ static struct net_device_path *dev_fwd_path(struct net_device_path_stack *stack) { int k = stack->num_paths++; - if (WARN_ON_ONCE(k >= NET_DEVICE_PATH_STACK_MAX)) + if (k >= NET_DEVICE_PATH_STACK_MAX) return NULL; return &stack->path[k]; -- cgit 1.3-korg
a78d055ba7c3net: remove WARN_ON_ONCE when accessing forward path array
1 file changed · +1 −2
net/core/dev.c+1 −2 modifieddiff --git a/net/core/dev.c b/net/core/dev.c index ccef685023c299..f5e4040e08399c 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -738,7 +738,7 @@ static struct net_device_path *dev_fwd_path(struct net_device_path_stack *stack) { int k = stack->num_paths++; - if (WARN_ON_ONCE(k >= NET_DEVICE_PATH_STACK_MAX)) + if (k >= NET_DEVICE_PATH_STACK_MAX) return NULL; return &stack->path[k]; -- cgit 1.3-korg
008e7a7c293bnet: remove WARN_ON_ONCE when accessing forward path array
1 file changed · +1 −2
net/core/dev.c+1 −2 modifieddiff --git a/net/core/dev.c b/net/core/dev.c index 96f89eb797e891..096b3ff13f6b9b 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -744,7 +744,7 @@ static struct net_device_path *dev_fwd_path(struct net_device_path_stack *stack) { int k = stack->num_paths++; - if (WARN_ON_ONCE(k >= NET_DEVICE_PATH_STACK_MAX)) + if (k >= NET_DEVICE_PATH_STACK_MAX) return NULL; return &stack->path[k]; -- cgit 1.3-korg
9464ca7a6e56net: remove WARN_ON_ONCE when accessing forward path array
1 file changed · +1 −2
net/core/dev.c+1 −2 modifieddiff --git a/net/core/dev.c b/net/core/dev.c index 206194bb8fcadd..890535fa52be67 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -701,7 +701,7 @@ static struct net_device_path *dev_fwd_path(struct net_device_path_stack *stack) { int k = stack->num_paths++; - if (WARN_ON_ONCE(k >= NET_DEVICE_PATH_STACK_MAX)) + if (k >= NET_DEVICE_PATH_STACK_MAX) return NULL; return &stack->path[k]; -- cgit 1.3-korg
959ea349c7e2net: remove WARN_ON_ONCE when accessing forward path array
1 file changed · +1 −2
net/core/dev.c+1 −2 modifieddiff --git a/net/core/dev.c b/net/core/dev.c index 1d276a26a360de..553317ad6f1b4e 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -720,7 +720,7 @@ static struct net_device_path *dev_fwd_path(struct net_device_path_stack *stack) { int k = stack->num_paths++; - if (WARN_ON_ONCE(k >= NET_DEVICE_PATH_STACK_MAX)) + if (k >= NET_DEVICE_PATH_STACK_MAX) return NULL; return &stack->path[k]; -- cgit 1.3-korg
a78d055ba7c3net: remove WARN_ON_ONCE when accessing forward path array
1 file changed · +1 −2
net/core/dev.c+1 −2 modifieddiff --git a/net/core/dev.c b/net/core/dev.c index ccef685023c299..f5e4040e08399c 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -738,7 +738,7 @@ static struct net_device_path *dev_fwd_path(struct net_device_path_stack *stack) { int k = stack->num_paths++; - if (WARN_ON_ONCE(k >= NET_DEVICE_PATH_STACK_MAX)) + if (k >= NET_DEVICE_PATH_STACK_MAX) return NULL; return &stack->path[k]; -- cgit 1.3-korg
548244c2f542net: remove WARN_ON_ONCE when accessing forward path array
1 file changed · +1 −2
net/core/dev.c+1 −2 modifieddiff --git a/net/core/dev.c b/net/core/dev.c index 977146a70b8c15..48abe997e6f3bd 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -750,7 +750,7 @@ static struct net_device_path *dev_fwd_path(struct net_device_path_stack *stack) { int k = stack->num_paths++; - if (WARN_ON_ONCE(k >= NET_DEVICE_PATH_STACK_MAX)) + if (k >= NET_DEVICE_PATH_STACK_MAX) return NULL; return &stack->path[k]; -- cgit 1.3-korg
dcf9b3c90e55net: remove WARN_ON_ONCE when accessing forward path array
1 file changed · +1 −2
net/core/dev.c+1 −2 modifieddiff --git a/net/core/dev.c b/net/core/dev.c index 69bb7ac73d047a..c2ca0b45bd37de 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -695,7 +695,7 @@ static struct net_device_path *dev_fwd_path(struct net_device_path_stack *stack) { int k = stack->num_paths++; - if (WARN_ON_ONCE(k >= NET_DEVICE_PATH_STACK_MAX)) + if (k >= NET_DEVICE_PATH_STACK_MAX) return NULL; return &stack->path[k]; -- cgit 1.3-korg
50422613185dnet: remove WARN_ON_ONCE when accessing forward path array
1 file changed · +1 −2
net/core/dev.c+1 −2 modifieddiff --git a/net/core/dev.c b/net/core/dev.c index 5b536860138d19..ff70c902a4196b 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -738,7 +738,7 @@ static struct net_device_path *dev_fwd_path(struct net_device_path_stack *stack) { int k = stack->num_paths++; - if (WARN_ON_ONCE(k >= NET_DEVICE_PATH_STACK_MAX)) + if (k >= NET_DEVICE_PATH_STACK_MAX) return NULL; return &stack->path[k]; -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"A WARN_ON_ONCE assertion in dev_fwd_path() triggers a kernel warning (and possible panic on some configurations) when the forward path stack exceeds NET_DEVICE_PATH_STACK_MAX, which can now be reached due to IPIP tunnel nesting."
Attack vector
An attacker with the ability to configure network forwarding paths (e.g., via IPIP tunnel setups) can craft a sufficiently long chain of virtual netdevices that causes the forward path stack depth to reach or exceed NET_DEVICE_PATH_STACK_MAX. When dev_fwd_path() is called, the WARN_ON_ONCE fires, producing a kernel splat and potentially crashing the system depending on the panic-on-warn setting. The attack requires the ability to create and configure network tunnels, which typically needs CAP_NET_ADMIN privileges.
Affected code
The function dev_fwd_path() in net/core/dev.c, which manages a fixed-size stack (NET_DEVICE_PATH_STACK_MAX) of struct net_device_path entries used for forwarding path resolution.
What the fix does
The patch removes the WARN_ON_ONCE wrapper from the bounds check in dev_fwd_path() in net/core/dev.c [patch_id=2662138]. The underlying NULL-return logic when k >= NET_DEVICE_PATH_STACK_MAX is preserved, so the function still safely handles overflow by returning NULL. The change simply eliminates the spurious kernel warning that could be triggered by legitimate (if unusual) long forwarding paths created via IPIP tunnels. All stable backports apply the same one-line change [patch_id=2662146] through [patch_id=2662151].
Preconditions
- authAttacker must have CAP_NET_ADMIN privileges (or equivalent) to configure IPIP tunnels and network forwarding paths.
- configThe system must have IPIP tunnel support enabled (recent kernel with IPIP tunnel nesting).
- inputThe attacker must construct a forwarding path chain that reaches or exceeds NET_DEVICE_PATH_STACK_MAX entries.
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- git.kernel.org/stable/c/008e7a7c293b30bc43e4368dac6ea3808b75a572nvd
- git.kernel.org/stable/c/50422613185d505201167e8bdd2f2700790d5db6nvd
- git.kernel.org/stable/c/548244c2f542aa0ad49453e9306e715a3877bc44nvd
- git.kernel.org/stable/c/9464ca7a6e56ad1ebf48b2ad5c16871edfad10c6nvd
- git.kernel.org/stable/c/959ea349c7e2d4edf07b6838ca7e59345fe61a08nvd
- git.kernel.org/stable/c/a78d055ba7c31103ad02f8eceb0c452e154d2660nvd
- git.kernel.org/stable/c/dcf9b3c90e5560339649d088836529883fb509f3nvd
News mentions
0No linked articles in our index yet.