CVE-2026-46260

Source
https://cve.org/CVERecord?id=CVE-2026-46260
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46260.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-46260
Downstream
Published
2026-06-03T15:49:57.561Z
Modified
2026-07-08T08:13:40.975159139Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
ipv6: Fix out-of-bound access in fib6_add_rt2node().
Details

In the Linux kernel, the following vulnerability has been resolved:

ipv6: Fix out-of-bound access in fib6addrt2node().

syzbot reported out-of-bound read in fib6addrt2node(). [0]

When IPv6 route is created with RTANHID, struct fib6info does not have the trailing struct fib6nh.

The cited commit started to check !iter->fib6nh->fibnhgwfamily to ensure that rt6qualifyfor_ecmp() will return false for iter.

If iter->nh is not NULL, rt6qualifyfor_ecmp() returns false anyway.

Let's check iter->nh before reading iter->fib6_nh and avoid OOB read.

Read of size 1 at addr ffff8880384ba6de by task syz.0.18/5500

CPU: 0 UID: 0 PID: 5500 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: <TASK> dumpstacklvl+0xe8/0x150 lib/dumpstack.c:120 printaddressdescription mm/kasan/report.c:378 [inline] printreport+0xba/0x230 mm/kasan/report.c:482 kasanreport+0x117/0x150 mm/kasan/report.c:595 fib6addrt2node+0x349c/0x3500 net/ipv6/ip6fib.c:1142 fib6addrt2nodenh net/ipv6/ip6fib.c:1363 [inline] fib6add+0x910/0x18c0 net/ipv6/ip6fib.c:1531 __ip6insrt net/ipv6/route.c:1351 [inline] ip6routeadd+0xde/0x1b0 net/ipv6/route.c:3957 inet6rtmnewroute+0x268/0x19e0 net/ipv6/route.c:5660 rtnetlinkrcvmsg+0x7d5/0xbe0 net/core/rtnetlink.c:6958 netlinkrcvskb+0x232/0x4b0 net/netlink/afnetlink.c:2550 netlinkunicastkernel net/netlink/afnetlink.c:1318 [inline] netlinkunicast+0x80f/0x9b0 net/netlink/afnetlink.c:1344 netlinksendmsg+0x813/0xb40 net/netlink/afnetlink.c:1894 socksendmsgnosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] ____sys_sendmsg+0xa68/0xad0 net/socket.c:2592 ___sys_sendmsg+0x2a5/0x360 net/socket.c:2646 __sys_sendmsg net/socket.c:2678 [inline] __dosyssendmsg net/socket.c:2683 [inline] __sesyssendmsg net/socket.c:2681 [inline] _x64syssendmsg+0x1bd/0x2a0 net/socket.c:2681 dosyscallx64 arch/x86/entry/syscall64.c:63 [inline] dosyscall64+0xe2/0xf80 arch/x86/entry/syscall64.c:94 entrySYSCALL64afterhwframe+0x77/0x7f RIP: 0033:0x7f9316b9aeb9 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffd8809b678 EFLAGS: 00000246 ORIGRAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f9316e15fa0 RCX: 00007f9316b9aeb9 RDX: 0000000000000000 RSI: 0000200000004380 RDI: 0000000000000003 RBP: 00007f9316c08c1f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f9316e15fac R14: 00007f9316e15fa0 R15: 00007f9316e15fa0 </TASK>

Allocated by task 5499: kasansavestack mm/kasan/common.c:57 [inline] kasansavetrack+0x3e/0x80 mm/kasan/common.c:78 poisonkmallocredzone mm/kasan/common.c:398 [inline] __kasankmalloc+0x93/0xb0 mm/kasan/common.c:415 kasankmalloc include/linux/kasan.h:263 [inline] __dokmallocnode mm/slub.c:5657 [inline] __kmallocnoprof+0x40c/0x7e0 mm/slub.c:5669 kmallocnoprof include/linux/slab.h:961 [inline] kzallocnoprof include/linux/slab.h:1094 [inline] fib6info_alloc+0x30/0xf0 net/ipv6/ip6fib.c:155 ip6routeinfocreate+0x142/0x860 net/ipv6/route.c:3820 ip6routeadd+0x49/0x1b0 net/ipv6/route.c:3949 inet6rtmnewroute+0x268/0x19e0 net/ipv6/route.c:5660 rtnetlinkrcvmsg+0x7d5/0xbe0 net/core/rtnetlink.c:6958 netlinkrcvskb+0x232/0x4b0 net/netlink/afnetlink.c:2550 netlinkunicastkernel net/netlink/afnetlink.c:1318 [inline] netlinkunicast+0x80f/0x9b0 net/netlink/afnetlink.c:1344 netlinksendmsg+0x813/0xb40 net/netlink/afnetlink.c:1894 socksendmsgnosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] ____sys_sendmsg+0xa68/0xad0 net/socket.c:2592 __syss ---truncated---

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46260.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
50b7c7a255858a85c4636a1e990ca04591153dca
Fixed
bcc60ad129ae1837cf809c81bff56ec8bfdb6b11
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
d8143c54ceeba232dc8a13aa0afa14a44b371d93
Fixed
bf5009a06e03ee9a51052bb59f2228a5e4e66260
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
b8ad2d53f706aeea833d23d45c0758398fede580
Fixed
03b5051e02f5a3772eee57493ad697d4b505b0c2
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
bbf4a17ad9ffc4e3d7ec13d73ecd59dea149ed25
Fixed
500e54615c97bc3c427e52305a6fcd38a0e008a3
Fixed
8244f959e2c125c849e569f5b23ed49804cce695
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
6.6.124
Fixed
6.6.128
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
6.12.70
Fixed
6.12.75
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
6.18.10
Fixed
6.18.14

Affected versions

v6.*
v6.12.70
v6.12.71
v6.12.72
v6.12.73
v6.12.74
v6.18.10
v6.18.11
v6.18.12
v6.18.13
v6.6.124
v6.6.125
v6.6.126
v6.6.127

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46260.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.6.128
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.75
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.14
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46260.json"