What is GHSA-9x88-7c3c-r34g?

GHSA-9x88-7c3c-r34g is a security advisory published by GitHub Security Advisories with High severity. In the Linux kernel, the following vulnerability has been resolved: net: ipv6: fix NOREF dst use...

Which CVE IDs does GHSA-9x88-7c3c-r34g cover?

GHSA-9x88-7c3c-r34g covers the following CVE IDs: CVE-2026-46099. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-9x88-7c3c-r34g?

GHSA-9x88-7c3c-r34g has a CVSS v3 base score of 8.1, published by GitHub Security Advisories.

GHSA-9x88-7c3c-r34gHighCVSS 8.1

In the Linux kernel, the following vulnerability has been resolved: net: ipv6: fix NOREF dst use...

Vendor

GitHub Security Advisories

Published

May 27, 2026

Last Modified

May 30, 2026

🔗 CVE IDs covered (1)

CVE-2026-46099 →

📋 Description

In the Linux kernel, the following vulnerability has been resolved:

net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels

seg6_input_core() and rpl_input() call ip6_route_input() which sets a NOREF dst on the skb, then pass it to dst_cache_set_ip6() invoking dst_hold() unconditionally. On PREEMPT_RT, ksoftirqd is preemptible and a higher-priority task can release the underlying pcpu_rt between the lookup and the caching through a concurrent FIB lookup on a shared nexthop. Simplified race sequence:

ksoftirqd/X higher-prio task (same CPU X)

seg6_input_core(,skb)/rpl_input(skb) dst_cache_get() -> miss ip6_route_input(skb) -> ip6_pol_route(,skb,flags) [RT6_LOOKUP_F_DST_NOREF in flags] -> FIB lookup resolves fib6_nh [nhid=N route] -> rt6_make_pcpu_route() [creates pcpu_rt, refcount=1] pcpu_rt->sernum = fib6_sernum [fib6_sernum=W] -> cmpxchg(fib6_nh.rt6i_pcpu, NULL, pcpu_rt) [slot was empty, store succeeds] -> skb_dst_set_noref(skb, dst) [dst is pcpu_rt, refcount still 1]

                                rt_genid_bump_ipv6()
                                  -> bumps fib6_sernum
                                     [fib6_sernum from W to Z]
                                ip6_route_output()
                                  -> ip6_pol_route()
                                    -> FIB lookup resolves fib6_nh
                                       [nhid=N]
                                    -> rt6_get_pcpu_route()
                                         pcpu_rt->sernum != fib6_sernum
                                         [W <> Z, stale]
                                      -> prev = xchg(rt6i_pcpu, NULL)
                                      -> dst_release(prev)
                                         [prev is pcpu_rt,
                                          refcount 1->0, dead]

dst = skb_dst(skb)
[dst is the dead pcpu_rt]
dst_cache_set_ip6(dst)
  -> dst_hold() on dead dst
  -> WARN / use-after-free

For the race to occur, ksoftirqd must be preemptible (PREEMPT_RT without PREEMPT_RT_NEEDS_BH_LOCK) and a concurrent task must be able to release the pcpu_rt. Shared nexthop objects provide such a path, as two routes pointing to the same nhid share the same fib6_nh and its rt6i_pcpu entry.

Fix seg6_input_core() and rpl_input() by calling skb_dst_force() after ip6_route_input() to force the NOREF dst into a refcounted one before caching. The output path is not affected as ip6_route_output() already returns a refcounted dst.

🔗 CVE IDs covered (1)

📋 Description

🔗 References (7)