ip6_gre: Use cached t->net in ip6erspan_changelink().
Summary
| CVE | CVE-2026-46120 |
|---|
| State | PUBLISHED |
|---|
| Assigner | Linux |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2026-05-28 10:16:27 UTC |
|---|
| Updated | 2026-05-28 13:44:01 UTC |
|---|
| Description | In the Linux kernel, the following vulnerability has been resolved:
ip6_gre: Use cached t->net in ip6erspan_changelink().
After commit 5e72ce3e3980 ("net: ipv6: Use link netns in newlink() of
rtnl_link_ops"), ip6erspan_newlink() correctly resolves the per-netns
ip6gre hash via link_net. ip6erspan_changelink() was not converted in
that series and still uses dev_net(dev), which diverges from the
device's creation netns after IFLA_NET_NS_FD migration.
This re-inserts the tunnel into the wrong per-netns hash. The
original netns keeps a stale entry. When that netns is later
destroyed, ip6gre_exit_rtnl_net() walks the stale entry, producing a
slab-use-after-free reported by KASAN, followed by a kernel BUG at
net/core/dev.c (LIST_POISON1) in unregister_netdevice_many_notify().
Reachable from an unprivileged user namespace (unshare --user
--map-root-user --net).
ip6gre_changelink() earlier in the same file already uses the cached
t->net; only ip6erspan_changelink() has the wrong shape. |
|---|
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|
| CNA |
Linux |
Linux |
affected 2d665034f239412927b1e71329f20f001c92da09 eca62bb0569de4d43a4dac06a2092a9d4ca1d702 git |
Not specified |
| CNA |
Linux |
Linux |
affected 2d665034f239412927b1e71329f20f001c92da09 311fdd26eb4443d43b909cc67a10f3a5fd1b21b2 git |
Not specified |
| CNA |
Linux |
Linux |
affected 2d665034f239412927b1e71329f20f001c92da09 e70cfb40c3a99b232cd42c6a6a10f0d8e039dc82 git |
Not specified |
| CNA |
Linux |
Linux |
affected 2d665034f239412927b1e71329f20f001c92da09 cf7fc624329e76c6394653d12353e1d033adea91 git |
Not specified |
| CNA |
Linux |
Linux |
affected 2d665034f239412927b1e71329f20f001c92da09 1d324c2f43f70c965f25c58cc3611c779adbe47e git |
Not specified |
| CNA |
Linux |
Linux |
affected c6d72628352c949629af619b77b042e0fb5245e7 git |
Not specified |
| CNA |
Linux |
Linux |
affected 4.16.12 4.17 semver |
Not specified |
| CNA |
Linux |
Linux |
affected 4.17 |
Not specified |
| CNA |
Linux |
Linux |
unaffected 4.17 semver |
Not specified |
| CNA |
Linux |
Linux |
unaffected 6.6.140 6.6.* semver |
Not specified |
| CNA |
Linux |
Linux |
unaffected 6.12.88 6.12.* semver |
Not specified |
| CNA |
Linux |
Linux |
unaffected 6.18.30 6.18.* semver |
Not specified |
| CNA |
Linux |
Linux |
unaffected 7.0.7 7.0.* semver |
Not specified |
| CNA |
Linux |
Linux |
unaffected 7.1-rc3 * original_commit_for_fix |
Not specified |
References
| Reference | Source | Link | Tags |
|---|
| git.kernel.org/stable/c/311fdd26eb4443d43b909cc67a10f3a5fd1b21b2 |
416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
git.kernel.org |
|
| git.kernel.org/stable/c/eca62bb0569de4d43a4dac06a2092a9d4ca1d702 |
416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
git.kernel.org |
|
| git.kernel.org/stable/c/e70cfb40c3a99b232cd42c6a6a10f0d8e039dc82 |
416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
git.kernel.org |
|
| git.kernel.org/stable/c/cf7fc624329e76c6394653d12353e1d033adea91 |
416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
git.kernel.org |
|
| git.kernel.org/stable/c/1d324c2f43f70c965f25c58cc3611c779adbe47e |
416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
git.kernel.org |
|
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.
