HOMEVULNERABILITIESCVE-2026-46099
HIGH

CVE-2026-46099

Published: May 27, 2026· Updated: Jun 1, 2026

8.1
CVSS v3.1
EPSS:0.02%probability of exploitation in 30 daysPercentile:5.2th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels

seg6_input_core() and rpl_input() call ip6_route_input() which sets a

NOREF dst on the skb, then pass it to dst_cache_set_ip6() invoking

dst_hold() unconditionally.

On PREEMPT_RT, ksoftirqd is preemptible and a higher-priority task can

release the underlying pcpu_rt between the lookup and the caching

through a concurrent FIB lookup on a shared nexthop.

Simplified race sequence:

ksoftirqd/X higher-prio task (same CPU X)

----------- --------------------------------

seg6_input_core(,skb)/rpl_input(skb)

dst_cache_get()

-> miss

ip6_route_input(skb)

-> ip6_pol_route(,skb,flags)

[RT6_LOOKUP_F_DST_NOREF in flags]

-> FIB lookup resolves fib6_nh

[nhid=N route]

-> rt6_make_pcpu_route()

[creates pcpu_rt, refcount=1]

pcpu_rt->sernum = fib6_sernum

[fib6_sernum=W]

-> cmpxchg(fib6_nh.rt6i_pcpu,

NULL, pcpu_rt)

[slot was empty, store succeeds]

-> skb_dst_set_noref(skb, dst)

[dst is pcpu_rt, refcount still 1]

rt_genid_bump_ipv6()

-> bumps fib6_sernum

[fib6_sernum from W to Z]

ip6_route_output()

-> ip6_pol_route()

-> FIB lookup resolves fib6_nh

[nhid=N]

-> rt6_get_pcpu_route()

pcpu_rt->sernum != fib6_sernum

[W <> Z, stale]

-> prev = xchg(rt6i_pcpu, NULL)

-> dst_release(prev)

[prev is pcpu_rt,

refcount 1->0, dead]

dst = skb_dst(skb)

[dst is the dead pcpu_rt]

dst_cache_set_ip6(dst)

-> dst_hold() on dead dst

-> WARN / use-after-free

For the race to occur, ksoftirqd must be preemptible (PREEMPT_RT without

PREEMPT_RT_NEEDS_BH_LOCK) and a concurrent task must be able to release

the pcpu_rt. Shared nexthop objects provide such a path, as two routes

pointing to the same nhid share the same fib6_nh and its rt6i_pcpu

entry.

Fix seg6_input_core() and rpl_input() by calling skb_dst_force() after

ip6_route_input() to force the NOREF dst into a refcounted one before

caching.

The output path is not affected as ip6_route_output() already returns a

refcounted dst.

NVD Source

Technical Analysis

CVE-2026-46099 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.

The vulnerability requires no privileges and no user interaction, making it a prime target for automated exploitation campaigns and worm-like propagation.

A successful exploit results in complete confidentiality breach (data exposure), full integrity compromise (data manipulation), availability disruption (denial of service), with a CVSS base score of 8.1.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorNetwork
Attack ComplexityHigh
Privileges Req.None
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (7)

Quick Facts

CVE IDCVE-2026-46099
CVSS Score8.1 / 10
SeverityHIGH
CISA KEVNo
EPSS (30d)0.02%
PublishedMay 27, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-46099 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.