Vulnerability-Lookup

GHSA-86P8-J8P2-R223

Vulnerability from github – Published: 2026-06-03 18:33 – Updated: 2026-06-05 09:33

Details

In the Linux kernel, the following vulnerability has been resolved:

ipv6: Fix out-of-bound access in fib6_add_rt2node().

syzbot reported out-of-bound read in fib6_add_rt2node(). [0]

When IPv6 route is created with RTA_NH_ID, struct fib6_info does not have the trailing struct fib6_nh.

The cited commit started to check !iter->fib6_nh->fib_nh_gw_family to ensure that rt6_qualify_for_ecmp() will return false for iter.

If iter->nh is not NULL, rt6_qualify_for_ecmp() returns false anyway.

Let's check iter->nh before reading iter->fib6_nh and avoid OOB read.

[0]: BUG: KASAN: slab-out-of-bounds in fib6_add_rt2node+0x349c/0x3500 net/ipv6/ip6_fib.c:1142 Read of size 1 at addr ffff8880384ba6de by task syz.0.18/5500

CPU: 0 UID: 0 PID: 5500 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xba/0x230 mm/kasan/report.c:482 kasan_report+0x117/0x150 mm/kasan/report.c:595 fib6_add_rt2node+0x349c/0x3500 net/ipv6/ip6_fib.c:1142 fib6_add_rt2node_nh net/ipv6/ip6_fib.c:1363 [inline] fib6_add+0x910/0x18c0 net/ipv6/ip6_fib.c:1531 __ip6_ins_rt net/ipv6/route.c:1351 [inline] ip6_route_add+0xde/0x1b0 net/ipv6/route.c:3957 inet6_rtm_newroute+0x268/0x19e0 net/ipv6/route.c:5660 rtnetlink_rcv_msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958 netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] _syssendmsg+0xa68/0xad0 net/socket.c:2592 _sys_sendmsg+0x2a5/0x360 net/socket.c:2646 __sys_sendmsg net/socket.c:2678 [inline] __do_sys_sendmsg net/socket.c:2683 [inline] __se_sys_sendmsg net/socket.c:2681 [inline] __x64_sys_sendmsg+0x1bd/0x2a0 net/socket.c:2681 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f9316b9aeb9 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffd8809b678 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f9316e15fa0 RCX: 00007f9316b9aeb9 RDX: 0000000000000000 RSI: 0000200000004380 RDI: 0000000000000003 RBP: 00007f9316c08c1f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f9316e15fac R14: 00007f9316e15fa0 R15: 00007f9316e15fa0

Allocated by task 5499: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 poison_kmalloc_redzone mm/kasan/common.c:398 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415 kasan_kmalloc include/linux/kasan.h:263 [inline] __do_kmalloc_node mm/slub.c:5657 [inline] __kmalloc_noprof+0x40c/0x7e0 mm/slub.c:5669 kmalloc_noprof include/linux/slab.h:961 [inline] kzalloc_noprof include/linux/slab.h:1094 [inline] fib6_info_alloc+0x30/0xf0 net/ipv6/ip6_fib.c:155 ip6_route_info_create+0x142/0x860 net/ipv6/route.c:3820 ip6_route_add+0x49/0x1b0 net/ipv6/route.c:3949 inet6_rtm_newroute+0x268/0x19e0 net/ipv6/route.c:5660 rtnetlink_rcv_msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958 netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] _syssendmsg+0xa68/0xad0 net/socket.c:2592 _sys_s ---truncated---

Severity

7.8 (High)


                  
                    CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2026-46260"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-03T18:16:27Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Fix out-of-bound access in fib6_add_rt2node().\n\nsyzbot reported out-of-bound read in fib6_add_rt2node(). [0]\n\nWhen IPv6 route is created with RTA_NH_ID, struct fib6_info\ndoes not have the trailing struct fib6_nh.\n\nThe cited commit started to check !iter-\u003efib6_nh-\u003efib_nh_gw_family\nto ensure that rt6_qualify_for_ecmp() will return false for iter.\n\nIf iter-\u003enh is not NULL, rt6_qualify_for_ecmp() returns false anyway.\n\nLet\u0027s check iter-\u003enh before reading iter-\u003efib6_nh and avoid OOB read.\n\n[0]:\nBUG: KASAN: slab-out-of-bounds in fib6_add_rt2node+0x349c/0x3500 net/ipv6/ip6_fib.c:1142\nRead of size 1 at addr ffff8880384ba6de by task syz.0.18/5500\n\nCPU: 0 UID: 0 PID: 5500 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xba/0x230 mm/kasan/report.c:482\n kasan_report+0x117/0x150 mm/kasan/report.c:595\n fib6_add_rt2node+0x349c/0x3500 net/ipv6/ip6_fib.c:1142\n fib6_add_rt2node_nh net/ipv6/ip6_fib.c:1363 [inline]\n fib6_add+0x910/0x18c0 net/ipv6/ip6_fib.c:1531\n __ip6_ins_rt net/ipv6/route.c:1351 [inline]\n ip6_route_add+0xde/0x1b0 net/ipv6/route.c:3957\n inet6_rtm_newroute+0x268/0x19e0 net/ipv6/route.c:5660\n rtnetlink_rcv_msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958\n netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550\n netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]\n netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344\n netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg net/socket.c:742 [inline]\n ____sys_sendmsg+0xa68/0xad0 net/socket.c:2592\n ___sys_sendmsg+0x2a5/0x360 net/socket.c:2646\n __sys_sendmsg net/socket.c:2678 [inline]\n __do_sys_sendmsg net/socket.c:2683 [inline]\n __se_sys_sendmsg net/socket.c:2681 [inline]\n __x64_sys_sendmsg+0x1bd/0x2a0 net/socket.c:2681\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f9316b9aeb9\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffd8809b678 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007f9316e15fa0 RCX: 00007f9316b9aeb9\nRDX: 0000000000000000 RSI: 0000200000004380 RDI: 0000000000000003\nRBP: 00007f9316c08c1f R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007f9316e15fac R14: 00007f9316e15fa0 R15: 00007f9316e15fa0\n \u003c/TASK\u003e\n\nAllocated by task 5499:\n kasan_save_stack mm/kasan/common.c:57 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:78\n poison_kmalloc_redzone mm/kasan/common.c:398 [inline]\n __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415\n kasan_kmalloc include/linux/kasan.h:263 [inline]\n __do_kmalloc_node mm/slub.c:5657 [inline]\n __kmalloc_noprof+0x40c/0x7e0 mm/slub.c:5669\n kmalloc_noprof include/linux/slab.h:961 [inline]\n kzalloc_noprof include/linux/slab.h:1094 [inline]\n fib6_info_alloc+0x30/0xf0 net/ipv6/ip6_fib.c:155\n ip6_route_info_create+0x142/0x860 net/ipv6/route.c:3820\n ip6_route_add+0x49/0x1b0 net/ipv6/route.c:3949\n inet6_rtm_newroute+0x268/0x19e0 net/ipv6/route.c:5660\n rtnetlink_rcv_msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958\n netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550\n netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]\n netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344\n netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg net/socket.c:742 [inline]\n ____sys_sendmsg+0xa68/0xad0 net/socket.c:2592\n ___sys_s\n---truncated---",
  "id": "GHSA-86p8-j8p2-r223",
  "modified": "2026-06-05T09:33:46Z",
  "published": "2026-06-03T18:33:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46260"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/03b5051e02f5a3772eee57493ad697d4b505b0c2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/500e54615c97bc3c427e52305a6fcd38a0e008a3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8244f959e2c125c849e569f5b23ed49804cce695"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bcc60ad129ae1837cf809c81bff56ec8bfdb6b11"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bf5009a06e03ee9a51052bb59f2228a5e4e66260"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

CVE-2026-46260 (GCVE-0-2026-46260)

Vulnerability from cvelistv5 – Published: 2026-06-03 15:49 – Updated: 2026-06-05 06:06

Title

ipv6: Fix out-of-bound access in fib6_add_rt2node().

Summary

In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix out-of-bound access in fib6_add_rt2node(). syzbot reported out-of-bound read in fib6_add_rt2node(). [0] When IPv6 route is created with RTA_NH_ID, struct fib6_info does not have the trailing struct fib6_nh. The cited commit started to check !iter->fib6_nh->fib_nh_gw_family to ensure that rt6_qualify_for_ecmp() will return false for iter. If iter->nh is not NULL, rt6_qualify_for_ecmp() returns false anyway. Let's check iter->nh before reading iter->fib6_nh and avoid OOB read. [0]: BUG: KASAN: slab-out-of-bounds in fib6_add_rt2node+0x349c/0x3500 net/ipv6/ip6_fib.c:1142 Read of size 1 at addr ffff8880384ba6de by task syz.0.18/5500 CPU: 0 UID: 0 PID: 5500 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xba/0x230 mm/kasan/report.c:482 kasan_report+0x117/0x150 mm/kasan/report.c:595 fib6_add_rt2node+0x349c/0x3500 net/ipv6/ip6_fib.c:1142 fib6_add_rt2node_nh net/ipv6/ip6_fib.c:1363 [inline] fib6_add+0x910/0x18c0 net/ipv6/ip6_fib.c:1531 __ip6_ins_rt net/ipv6/route.c:1351 [inline] ip6_route_add+0xde/0x1b0 net/ipv6/route.c:3957 inet6_rtm_newroute+0x268/0x19e0 net/ipv6/route.c:5660 rtnetlink_rcv_msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958 netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] ____sys_sendmsg+0xa68/0xad0 net/socket.c:2592 ___sys_sendmsg+0x2a5/0x360 net/socket.c:2646 __sys_sendmsg net/socket.c:2678 [inline] __do_sys_sendmsg net/socket.c:2683 [inline] __se_sys_sendmsg net/socket.c:2681 [inline] __x64_sys_sendmsg+0x1bd/0x2a0 net/socket.c:2681 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f9316b9aeb9 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffd8809b678 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f9316e15fa0 RCX: 00007f9316b9aeb9 RDX: 0000000000000000 RSI: 0000200000004380 RDI: 0000000000000003 RBP: 00007f9316c08c1f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f9316e15fac R14: 00007f9316e15fa0 R15: 00007f9316e15fa0 </TASK> Allocated by task 5499: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 poison_kmalloc_redzone mm/kasan/common.c:398 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415 kasan_kmalloc include/linux/kasan.h:263 [inline] __do_kmalloc_node mm/slub.c:5657 [inline] __kmalloc_noprof+0x40c/0x7e0 mm/slub.c:5669 kmalloc_noprof include/linux/slab.h:961 [inline] kzalloc_noprof include/linux/slab.h:1094 [inline] fib6_info_alloc+0x30/0xf0 net/ipv6/ip6_fib.c:155 ip6_route_info_create+0x142/0x860 net/ipv6/route.c:3820 ip6_route_add+0x49/0x1b0 net/ipv6/route.c:3949 inet6_rtm_newroute+0x268/0x19e0 net/ipv6/route.c:5660 rtnetlink_rcv_msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958 netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] ____sys_sendmsg+0xa68/0xad0 net/socket.c:2592 ___sys_s ---truncated---

Severity

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Assigner

Linux

References

5 references

URL	Tags
https://git.kernel.org/stable/c/bcc60ad129ae1837c…
https://git.kernel.org/stable/c/bf5009a06e03ee9a5…
https://git.kernel.org/stable/c/03b5051e02f5a3772…
https://git.kernel.org/stable/c/500e54615c97bc3c4…
https://git.kernel.org/stable/c/8244f959e2c125c84…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 50b7c7a255858a85c4636a1e990ca04591153dca , < bcc60ad129ae1837cf809c81bff56ec8bfdb6b11 (git) Affected: d8143c54ceeba232dc8a13aa0afa14a44b371d93 , < bf5009a06e03ee9a51052bb59f2228a5e4e66260 (git) Affected: b8ad2d53f706aeea833d23d45c0758398fede580 , < 03b5051e02f5a3772eee57493ad697d4b505b0c2 (git) Affected: bbf4a17ad9ffc4e3d7ec13d73ecd59dea149ed25 , < 500e54615c97bc3c427e52305a6fcd38a0e008a3 (git) Affected: bbf4a17ad9ffc4e3d7ec13d73ecd59dea149ed25 , < 8244f959e2c125c849e569f5b23ed49804cce695 (git) Affected: 6.6.124 , < 6.6.128 (semver) Affected: 6.12.70 , < 6.12.75 (semver) Affected: 6.18.10 , < 6.18.14 (semver)
Linux	Linux	Affected: 6.19 Unaffected: 0 , < 6.19 (semver) Unaffected: 6.6.128 , ≤ 6.6.* (semver) Unaffected: 6.12.75 , ≤ 6.12.* (semver) Unaffected: 6.18.14 , ≤ 6.18.* (semver) Unaffected: 6.19.4 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/ip6_fib.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "bcc60ad129ae1837cf809c81bff56ec8bfdb6b11",
              "status": "affected",
              "version": "50b7c7a255858a85c4636a1e990ca04591153dca",
              "versionType": "git"
            },
            {
              "lessThan": "bf5009a06e03ee9a51052bb59f2228a5e4e66260",
              "status": "affected",
              "version": "d8143c54ceeba232dc8a13aa0afa14a44b371d93",
              "versionType": "git"
            },
            {
              "lessThan": "03b5051e02f5a3772eee57493ad697d4b505b0c2",
              "status": "affected",
              "version": "b8ad2d53f706aeea833d23d45c0758398fede580",
              "versionType": "git"
            },
            {
              "lessThan": "500e54615c97bc3c427e52305a6fcd38a0e008a3",
              "status": "affected",
              "version": "bbf4a17ad9ffc4e3d7ec13d73ecd59dea149ed25",
              "versionType": "git"
            },
            {
              "lessThan": "8244f959e2c125c849e569f5b23ed49804cce695",
              "status": "affected",
              "version": "bbf4a17ad9ffc4e3d7ec13d73ecd59dea149ed25",
              "versionType": "git"
            },
            {
              "lessThan": "6.6.128",
              "status": "affected",
              "version": "6.6.124",
              "versionType": "semver"
            },
            {
              "lessThan": "6.12.75",
              "status": "affected",
              "version": "6.12.70",
              "versionType": "semver"
            },
            {
              "lessThan": "6.18.14",
              "status": "affected",
              "version": "6.18.10",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/ip6_fib.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.19"
            },
            {
              "lessThan": "6.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.128",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.128",
                  "versionStartIncluding": "6.6.124",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.75",
                  "versionStartIncluding": "6.12.70",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.14",
                  "versionStartIncluding": "6.18.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.4",
                  "versionStartIncluding": "6.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "6.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Fix out-of-bound access in fib6_add_rt2node().\n\nsyzbot reported out-of-bound read in fib6_add_rt2node(). [0]\n\nWhen IPv6 route is created with RTA_NH_ID, struct fib6_info\ndoes not have the trailing struct fib6_nh.\n\nThe cited commit started to check !iter-\u003efib6_nh-\u003efib_nh_gw_family\nto ensure that rt6_qualify_for_ecmp() will return false for iter.\n\nIf iter-\u003enh is not NULL, rt6_qualify_for_ecmp() returns false anyway.\n\nLet\u0027s check iter-\u003enh before reading iter-\u003efib6_nh and avoid OOB read.\n\n[0]:\nBUG: KASAN: slab-out-of-bounds in fib6_add_rt2node+0x349c/0x3500 net/ipv6/ip6_fib.c:1142\nRead of size 1 at addr ffff8880384ba6de by task syz.0.18/5500\n\nCPU: 0 UID: 0 PID: 5500 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xba/0x230 mm/kasan/report.c:482\n kasan_report+0x117/0x150 mm/kasan/report.c:595\n fib6_add_rt2node+0x349c/0x3500 net/ipv6/ip6_fib.c:1142\n fib6_add_rt2node_nh net/ipv6/ip6_fib.c:1363 [inline]\n fib6_add+0x910/0x18c0 net/ipv6/ip6_fib.c:1531\n __ip6_ins_rt net/ipv6/route.c:1351 [inline]\n ip6_route_add+0xde/0x1b0 net/ipv6/route.c:3957\n inet6_rtm_newroute+0x268/0x19e0 net/ipv6/route.c:5660\n rtnetlink_rcv_msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958\n netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550\n netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]\n netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344\n netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg net/socket.c:742 [inline]\n ____sys_sendmsg+0xa68/0xad0 net/socket.c:2592\n ___sys_sendmsg+0x2a5/0x360 net/socket.c:2646\n __sys_sendmsg net/socket.c:2678 [inline]\n __do_sys_sendmsg net/socket.c:2683 [inline]\n __se_sys_sendmsg net/socket.c:2681 [inline]\n __x64_sys_sendmsg+0x1bd/0x2a0 net/socket.c:2681\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f9316b9aeb9\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffd8809b678 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007f9316e15fa0 RCX: 00007f9316b9aeb9\nRDX: 0000000000000000 RSI: 0000200000004380 RDI: 0000000000000003\nRBP: 00007f9316c08c1f R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007f9316e15fac R14: 00007f9316e15fa0 R15: 00007f9316e15fa0\n \u003c/TASK\u003e\n\nAllocated by task 5499:\n kasan_save_stack mm/kasan/common.c:57 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:78\n poison_kmalloc_redzone mm/kasan/common.c:398 [inline]\n __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415\n kasan_kmalloc include/linux/kasan.h:263 [inline]\n __do_kmalloc_node mm/slub.c:5657 [inline]\n __kmalloc_noprof+0x40c/0x7e0 mm/slub.c:5669\n kmalloc_noprof include/linux/slab.h:961 [inline]\n kzalloc_noprof include/linux/slab.h:1094 [inline]\n fib6_info_alloc+0x30/0xf0 net/ipv6/ip6_fib.c:155\n ip6_route_info_create+0x142/0x860 net/ipv6/route.c:3820\n ip6_route_add+0x49/0x1b0 net/ipv6/route.c:3949\n inet6_rtm_newroute+0x268/0x19e0 net/ipv6/route.c:5660\n rtnetlink_rcv_msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958\n netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550\n netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]\n netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344\n netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg net/socket.c:742 [inline]\n ____sys_sendmsg+0xa68/0xad0 net/socket.c:2592\n ___sys_s\n---truncated---"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-05T06:06:29.838Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/bcc60ad129ae1837cf809c81bff56ec8bfdb6b11"
        },
        {
          "url": "https://git.kernel.org/stable/c/bf5009a06e03ee9a51052bb59f2228a5e4e66260"
        },
        {
          "url": "https://git.kernel.org/stable/c/03b5051e02f5a3772eee57493ad697d4b505b0c2"
        },
        {
          "url": "https://git.kernel.org/stable/c/500e54615c97bc3c427e52305a6fcd38a0e008a3"
        },
        {
          "url": "https://git.kernel.org/stable/c/8244f959e2c125c849e569f5b23ed49804cce695"
        }
      ],
      "title": "ipv6: Fix out-of-bound access in fib6_add_rt2node().",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46260",
    "datePublished": "2026-06-03T15:49:57.561Z",
    "dateReserved": "2026-05-13T15:03:33.108Z",
    "dateUpdated": "2026-06-05T06:06:29.838Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-86P8-J8P2-R223

CVE-2026-46260 (GCVE-0-2026-46260)

Tags

Sightings

Nomenclature