CVE-2026-46260
Description
Linux kernel's IPv6 routing mishandles route creation, leading to an out-of-bounds read vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Linux kernel's IPv6 routing mishandles route creation, leading to an out-of-bounds read vulnerability.
Vulnerability
An out-of-bounds read vulnerability exists in the fib6_add_rt2node() function within the Linux kernel's IPv6 routing implementation. This occurs when an IPv6 route is created with RTA_NH_ID, and the struct fib6_info does not properly account for the trailing struct fib6_nh. The vulnerability was reported by syzbot and affects versions prior to the fix.
Exploitation
An attacker would need to trigger the creation of a specific IPv6 route configuration that leads to the fib6_add_rt2node() function being called with conditions that bypass checks. This could potentially be achieved through network configuration interfaces or by exploiting other vulnerabilities that allow for the manipulation of routing tables. The exact steps to trigger the out-of-bounds read are not detailed in the available references.
Impact
Successful exploitation of this vulnerability results in an out-of-bounds read within the kernel. This can lead to information disclosure, denial of service, or potentially code execution depending on the specific memory contents read and the kernel's state. The vulnerability occurs within the kernel context, implying a high level of privilege.
Mitigation
The vulnerability has been resolved via a commit that adds checks to prevent the out-of-bounds read. The fixed version is not explicitly stated, but the commit reference [1] points to the resolution. No specific workaround is mentioned, and the End-of-Life status or KEV listing are not disclosed in the available references.
AI Insight generated on Jun 3, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
108244f959e2c1ipv6: Fix out-of-bound access in fib6_add_rt2node().
1 file changed · +1 −2
net/ipv6/ip6_fib.c+1 −2 modifieddiff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c index 9880d608392b4..56058e6de490b 100644 --- a/net/ipv6/ip6_fib.c +++ b/net/ipv6/ip6_fib.c @@ -1139,7 +1139,7 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct fib6_info *rt, fib6_add_gc_list(iter); } if (!(rt->fib6_flags & (RTF_ADDRCONF | RTF_PREFIX_RT)) && - !iter->fib6_nh->fib_nh_gw_family) { + (iter->nh || !iter->fib6_nh->fib_nh_gw_family)) { iter->fib6_flags &= ~RTF_ADDRCONF; iter->fib6_flags &= ~RTF_PREFIX_RT; } -- cgit 1.3-korg
bcc60ad129aeipv6: Fix out-of-bound access in fib6_add_rt2node().
1 file changed · +1 −2
net/ipv6/ip6_fib.c+1 −2 modifieddiff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c index fe57884ca7238..6fe867579118b 100644 --- a/net/ipv6/ip6_fib.c +++ b/net/ipv6/ip6_fib.c @@ -1137,7 +1137,7 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct fib6_info *rt, fib6_add_gc_list(iter); } if (!(rt->fib6_flags & (RTF_ADDRCONF | RTF_PREFIX_RT)) && - !iter->fib6_nh->fib_nh_gw_family) { + (iter->nh || !iter->fib6_nh->fib_nh_gw_family)) { iter->fib6_flags &= ~RTF_ADDRCONF; iter->fib6_flags &= ~RTF_PREFIX_RT; } -- cgit 1.3-korg
bf5009a06e03ipv6: Fix out-of-bound access in fib6_add_rt2node().
1 file changed · +1 −2
net/ipv6/ip6_fib.c+1 −2 modifieddiff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c index d83430f4a0eff..01c953a39211a 100644 --- a/net/ipv6/ip6_fib.c +++ b/net/ipv6/ip6_fib.c @@ -1139,7 +1139,7 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct fib6_info *rt, fib6_add_gc_list(iter); } if (!(rt->fib6_flags & (RTF_ADDRCONF | RTF_PREFIX_RT)) && - !iter->fib6_nh->fib_nh_gw_family) { + (iter->nh || !iter->fib6_nh->fib_nh_gw_family)) { iter->fib6_flags &= ~RTF_ADDRCONF; iter->fib6_flags &= ~RTF_PREFIX_RT; } -- cgit 1.3-korg
03b5051e02f5ipv6: Fix out-of-bound access in fib6_add_rt2node().
1 file changed · +1 −2
net/ipv6/ip6_fib.c+1 −2 modifieddiff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c index c6439e30e892a..cc149227b49f4 100644 --- a/net/ipv6/ip6_fib.c +++ b/net/ipv6/ip6_fib.c @@ -1139,7 +1139,7 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct fib6_info *rt, fib6_add_gc_list(iter); } if (!(rt->fib6_flags & (RTF_ADDRCONF | RTF_PREFIX_RT)) && - !iter->fib6_nh->fib_nh_gw_family) { + (iter->nh || !iter->fib6_nh->fib_nh_gw_family)) { iter->fib6_flags &= ~RTF_ADDRCONF; iter->fib6_flags &= ~RTF_PREFIX_RT; } -- cgit 1.3-korg
500e54615c97ipv6: Fix out-of-bound access in fib6_add_rt2node().
1 file changed · +1 −2
net/ipv6/ip6_fib.c+1 −2 modifieddiff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c index c6439e30e892a..cc149227b49f4 100644 --- a/net/ipv6/ip6_fib.c +++ b/net/ipv6/ip6_fib.c @@ -1139,7 +1139,7 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct fib6_info *rt, fib6_add_gc_list(iter); } if (!(rt->fib6_flags & (RTF_ADDRCONF | RTF_PREFIX_RT)) && - !iter->fib6_nh->fib_nh_gw_family) { + (iter->nh || !iter->fib6_nh->fib_nh_gw_family)) { iter->fib6_flags &= ~RTF_ADDRCONF; iter->fib6_flags &= ~RTF_PREFIX_RT; } -- cgit 1.3-korg
500e54615c97ipv6: Fix out-of-bound access in fib6_add_rt2node().
1 file changed · +1 −2
net/ipv6/ip6_fib.c+1 −2 modifieddiff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c index c6439e30e892a..cc149227b49f4 100644 --- a/net/ipv6/ip6_fib.c +++ b/net/ipv6/ip6_fib.c @@ -1139,7 +1139,7 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct fib6_info *rt, fib6_add_gc_list(iter); } if (!(rt->fib6_flags & (RTF_ADDRCONF | RTF_PREFIX_RT)) && - !iter->fib6_nh->fib_nh_gw_family) { + (iter->nh || !iter->fib6_nh->fib_nh_gw_family)) { iter->fib6_flags &= ~RTF_ADDRCONF; iter->fib6_flags &= ~RTF_PREFIX_RT; } -- cgit 1.3-korg
bcc60ad129aeipv6: Fix out-of-bound access in fib6_add_rt2node().
1 file changed · +1 −2
net/ipv6/ip6_fib.c+1 −2 modifieddiff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c index fe57884ca7238..6fe867579118b 100644 --- a/net/ipv6/ip6_fib.c +++ b/net/ipv6/ip6_fib.c @@ -1137,7 +1137,7 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct fib6_info *rt, fib6_add_gc_list(iter); } if (!(rt->fib6_flags & (RTF_ADDRCONF | RTF_PREFIX_RT)) && - !iter->fib6_nh->fib_nh_gw_family) { + (iter->nh || !iter->fib6_nh->fib_nh_gw_family)) { iter->fib6_flags &= ~RTF_ADDRCONF; iter->fib6_flags &= ~RTF_PREFIX_RT; } -- cgit 1.3-korg
bf5009a06e03ipv6: Fix out-of-bound access in fib6_add_rt2node().
1 file changed · +1 −2
net/ipv6/ip6_fib.c+1 −2 modifieddiff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c index d83430f4a0eff..01c953a39211a 100644 --- a/net/ipv6/ip6_fib.c +++ b/net/ipv6/ip6_fib.c @@ -1139,7 +1139,7 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct fib6_info *rt, fib6_add_gc_list(iter); } if (!(rt->fib6_flags & (RTF_ADDRCONF | RTF_PREFIX_RT)) && - !iter->fib6_nh->fib_nh_gw_family) { + (iter->nh || !iter->fib6_nh->fib_nh_gw_family)) { iter->fib6_flags &= ~RTF_ADDRCONF; iter->fib6_flags &= ~RTF_PREFIX_RT; } -- cgit 1.3-korg
8244f959e2c1ipv6: Fix out-of-bound access in fib6_add_rt2node().
1 file changed · +1 −2
net/ipv6/ip6_fib.c+1 −2 modifieddiff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c index 9880d608392b4..56058e6de490b 100644 --- a/net/ipv6/ip6_fib.c +++ b/net/ipv6/ip6_fib.c @@ -1139,7 +1139,7 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct fib6_info *rt, fib6_add_gc_list(iter); } if (!(rt->fib6_flags & (RTF_ADDRCONF | RTF_PREFIX_RT)) && - !iter->fib6_nh->fib_nh_gw_family) { + (iter->nh || !iter->fib6_nh->fib_nh_gw_family)) { iter->fib6_flags &= ~RTF_ADDRCONF; iter->fib6_flags &= ~RTF_PREFIX_RT; } -- cgit 1.3-korg
03b5051e02f5ipv6: Fix out-of-bound access in fib6_add_rt2node().
1 file changed · +1 −2
net/ipv6/ip6_fib.c+1 −2 modifieddiff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c index c6439e30e892a..cc149227b49f4 100644 --- a/net/ipv6/ip6_fib.c +++ b/net/ipv6/ip6_fib.c @@ -1139,7 +1139,7 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct fib6_info *rt, fib6_add_gc_list(iter); } if (!(rt->fib6_flags & (RTF_ADDRCONF | RTF_PREFIX_RT)) && - !iter->fib6_nh->fib_nh_gw_family) { + (iter->nh || !iter->fib6_nh->fib_nh_gw_family)) { iter->fib6_flags &= ~RTF_ADDRCONF; iter->fib6_flags &= ~RTF_PREFIX_RT; } -- cgit 1.3-korg
Vulnerability mechanics
Synthesis attempt was rejected by the grounding validator. Re-run pending.
References
5- git.kernel.org/stable/c/03b5051e02f5a3772eee57493ad697d4b505b0c2nvd
- git.kernel.org/stable/c/500e54615c97bc3c427e52305a6fcd38a0e008a3nvd
- git.kernel.org/stable/c/8244f959e2c125c849e569f5b23ed49804cce695nvd
- git.kernel.org/stable/c/bcc60ad129ae1837cf809c81bff56ec8bfdb6b11nvd
- git.kernel.org/stable/c/bf5009a06e03ee9a51052bb59f2228a5e4e66260nvd
News mentions
2- Google Android and Linux Kernel: 50 Vulnerabilities Disclosed in Two BatchesVypr Intelligence · Jun 3, 2026
- Linux Kernel: 25 Vulnerabilities Disclosed in Single Batch on June 3, 2026Vypr Intelligence · Jun 3, 2026