GHSA-h3c9-j2j5-6mffCriticalCVSS 9.8

In the Linux kernel, the following vulnerability has been resolved: ip6_vti: fix incorrect...

Published
June 25, 2026
Last Modified
June 28, 2026

🔗 CVE IDs covered (1)

📋 Description

In the Linux kernel, the following vulnerability has been resolved:

ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup()

In vti6_tnl_lookup(), when an exact match for a tunnel fails, the code falls back to searching for wildcard tunnels:

  • Tunnels matching the packet's local address, with any remote address wildcard remote).

  • Tunnels matching the packet's remote address, with any local address (wildcard local).

However, vti6 stores all these different types of tunnels in the same hash table (ip6n->tnls_r_l) prone to hash collisions.

The bug is that the fallback search loops in vti6_tnl_lookup() were missing checks to ensure that the candidate tunnel actually has a wildcard address.

🔗 References (10)