ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup()

Summary

CVE	CVE-2026-53221
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-06-25 09:16:39 UTC
Updated	2026-06-25 09:16:39 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup() In vti6_tnl_lookup(), when an exact match for a tunnel fails, the code falls back to searching for wildcard tunnels: - Tunnels matching the packet's local address, with any remote address wildcard remote). - Tunnels matching the packet's remote address, with any local address (wildcard local). However, vti6 stores all these different types of tunnels in the same hash table (ip6n->tnls_r_l) prone to hash collisions. The bug is that the fallback search loops in vti6_tnl_lookup() were missing checks to ensure that the candidate tunnel actually has a wildcard address.

Risk And Classification

EPSS: 0.001840000 probability, percentile 0.081700000 (date 2026-06-25)

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected fbe68ee87522f6eaa10f9076c0a7117e1613f2f7 c327fa4fca31415431202e063767a7ae342e19c6 git	Not specified
CNA	Linux	Linux	affected fbe68ee87522f6eaa10f9076c0a7117e1613f2f7 fc657ac0767c49839b3ef0b08dc0953ca30883f8 git	Not specified
CNA	Linux	Linux	affected fbe68ee87522f6eaa10f9076c0a7117e1613f2f7 47fb3c2b4203556308e64354b3e78f2ce221d646 git	Not specified
CNA	Linux	Linux	affected fbe68ee87522f6eaa10f9076c0a7117e1613f2f7 f513f308cc4bdb4530d033431592ffbc29b7fca1 git	Not specified
CNA	Linux	Linux	affected fbe68ee87522f6eaa10f9076c0a7117e1613f2f7 90fd4513315ca07da99cfd8549d3e553a7160f0d git	Not specified
CNA	Linux	Linux	affected fbe68ee87522f6eaa10f9076c0a7117e1613f2f7 2abfb19bbb81958714ad1d43ebeb65b30394184b git	Not specified
CNA	Linux	Linux	affected fbe68ee87522f6eaa10f9076c0a7117e1613f2f7 2fc7bc087cc7085368263d9d37bfe9a0bddd6a2d git	Not specified
CNA	Linux	Linux	affected fbe68ee87522f6eaa10f9076c0a7117e1613f2f7 a5c0359f5cbc51a2e2b114d6041e0f3c73f903e9 git	Not specified
CNA	Linux	Linux	affected 3.19	Not specified
CNA	Linux	Linux	unaffected 3.19 semver	Not specified
CNA	Linux	Linux	unaffected 5.10.259 5.10.* semver	Not specified
CNA	Linux	Linux	unaffected 5.15.210 5.15.* semver	Not specified
CNA	Linux	Linux	unaffected 6.1.176 6.1.* semver	Not specified
CNA	Linux	Linux	unaffected 6.6.143 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.12.94 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.18.36 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0.13 7.0.* semver	Not specified
CNA	Linux	Linux	unaffected 7.1 * original_commit_for_fix	Not specified

References

Reference	Source	Link	Tags
git.kernel.org/stable/c/f513f308cc4bdb4530d033431592ffbc29b7fca1	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/2abfb19bbb81958714ad1d43ebeb65b30394184b	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/a5c0359f5cbc51a2e2b114d6041e0f3c73f903e9	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/fc657ac0767c49839b3ef0b08dc0953ca30883f8	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/47fb3c2b4203556308e64354b3e78f2ce221d646	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/90fd4513315ca07da99cfd8549d3e553a7160f0d	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/c327fa4fca31415431202e063767a7ae342e19c6	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/2fc7bc087cc7085368263d9d37bfe9a0bddd6a2d	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.