{"api_version":"1","generated_at":"2026-05-30T12:19:04+00:00","cve":"CVE-2026-45905","urls":{"html":"https://cve.report/CVE-2026-45905","api":"https://cve.report/api/cve/CVE-2026-45905.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-45905","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-45905"},"summary":{"title":"xfrm: fix ip_rt_bug race in icmp_route_lookup reverse path","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: fix ip_rt_bug race in icmp_route_lookup reverse path\n\nicmp_route_lookup() performs multiple route lookups to find a suitable\nroute for sending ICMP error messages, with special handling for XFRM\n(IPsec) policies.\n\nThe lookup sequence is:\n1. First, lookup output route for ICMP reply (dst = original src)\n2. Pass through xfrm_lookup() for policy check\n3. If blocked (-EPERM) or dst is not local, enter \"reverse path\"\n4. In reverse path, call xfrm_decode_session_reverse() to get fl4_dec\n   which reverses the original packet's flow (saddr<->daddr swapped)\n5. If fl4_dec.saddr is local (we are the original destination), use\n   __ip_route_output_key() for output route lookup\n6. If fl4_dec.saddr is NOT local (we are a forwarding node), use\n   ip_route_input() to simulate the reverse packet's input path\n7. Finally, pass rt2 through xfrm_lookup() with XFRM_LOOKUP_ICMP flag\n\nThe bug occurs in step 6: ip_route_input() is called with fl4_dec.daddr\n(original packet's source) as destination. If this address becomes local\nbetween the initial check and ip_route_input() call (e.g., due to\nconcurrent \"ip addr add\"), ip_route_input() returns a LOCAL route with\ndst.output set to ip_rt_bug.\n\nThis route is then used for ICMP output, causing dst_output() to call\nip_rt_bug(), triggering a WARN_ON:\n\n ------------[ cut here ]------------\n WARNING: net/ipv4/route.c:1275 at ip_rt_bug+0x21/0x30, CPU#1\n Call Trace:\n  <TASK>\n  ip_push_pending_frames+0x202/0x240\n  icmp_push_reply+0x30d/0x430\n  __icmp_send+0x1149/0x24f0\n  ip_options_compile+0xa2/0xd0\n  ip_rcv_finish_core+0x829/0x1950\n  ip_rcv+0x2d7/0x420\n  __netif_receive_skb_one_core+0x185/0x1f0\n  netif_receive_skb+0x90/0x450\n  tun_get_user+0x3413/0x3fb0\n  tun_chr_write_iter+0xe4/0x220\n  ...\n\nFix this by checking rt2->rt_type after ip_route_input(). If it's\nRTN_LOCAL, the route cannot be used for output, so treat it as an error.\n\nThe reproducer requires kernel modification to widen the race window,\nmaking it unsuitable as a selftest. It is available at:\n\n  https://gist.github.com/mrpre/eae853b72ac6a750f5d45d64ddac1e81","state":"PUBLISHED","assigner":"Linux","published_at":"2026-05-27 14:17:04","updated_at":"2026-05-27 14:48:31"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/9a95ec9144eeff1fc6fbcc21b677e322c6f1430b","name":"https://git.kernel.org/stable/c/9a95ec9144eeff1fc6fbcc21b677e322c6f1430b","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/423ce12d10b426709489d6b84fdaa6d2f31c5652","name":"https://git.kernel.org/stable/c/423ce12d10b426709489d6b84fdaa6d2f31c5652","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/81b84de32bb27ae1ae2eb9acf0420e9d0d14bf00","name":"https://git.kernel.org/stable/c/81b84de32bb27ae1ae2eb9acf0420e9d0d14bf00","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/2c1f59005da9dd4b07b26984fd719e36557dc57c","name":"https://git.kernel.org/stable/c/2c1f59005da9dd4b07b26984fd719e36557dc57c","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/b04061f89ffc6168e7ec3c71d0086ec3c3797228","name":"https://git.kernel.org/stable/c/b04061f89ffc6168e7ec3c71d0086ec3c3797228","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/1c9ef28f643cce34a6a6c36c8f4d6d60a60db7e1","name":"https://git.kernel.org/stable/c/1c9ef28f643cce34a6a6c36c8f4d6d60a60db7e1","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-45905","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45905","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 8b7817f3a959ed99d7443afc12f78a7e1fcc2063 9a95ec9144eeff1fc6fbcc21b677e322c6f1430b git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 8b7817f3a959ed99d7443afc12f78a7e1fcc2063 2c1f59005da9dd4b07b26984fd719e36557dc57c git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 8b7817f3a959ed99d7443afc12f78a7e1fcc2063 b04061f89ffc6168e7ec3c71d0086ec3c3797228 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 8b7817f3a959ed99d7443afc12f78a7e1fcc2063 1c9ef28f643cce34a6a6c36c8f4d6d60a60db7e1 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 8b7817f3a959ed99d7443afc12f78a7e1fcc2063 423ce12d10b426709489d6b84fdaa6d2f31c5652 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 8b7817f3a959ed99d7443afc12f78a7e1fcc2063 81b84de32bb27ae1ae2eb9acf0420e9d0d14bf00 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 2.6.25","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 2.6.25 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.165 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.128 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.75 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.14 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.4 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"45905","cve":"CVE-2026-45905","epss":"0.000240000","percentile":"0.073930000","score_date":"2026-05-29","updated_at":"2026-05-30 00:13:24"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["net/ipv4/icmp.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"9a95ec9144eeff1fc6fbcc21b677e322c6f1430b","status":"affected","version":"8b7817f3a959ed99d7443afc12f78a7e1fcc2063","versionType":"git"},{"lessThan":"2c1f59005da9dd4b07b26984fd719e36557dc57c","status":"affected","version":"8b7817f3a959ed99d7443afc12f78a7e1fcc2063","versionType":"git"},{"lessThan":"b04061f89ffc6168e7ec3c71d0086ec3c3797228","status":"affected","version":"8b7817f3a959ed99d7443afc12f78a7e1fcc2063","versionType":"git"},{"lessThan":"1c9ef28f643cce34a6a6c36c8f4d6d60a60db7e1","status":"affected","version":"8b7817f3a959ed99d7443afc12f78a7e1fcc2063","versionType":"git"},{"lessThan":"423ce12d10b426709489d6b84fdaa6d2f31c5652","status":"affected","version":"8b7817f3a959ed99d7443afc12f78a7e1fcc2063","versionType":"git"},{"lessThan":"81b84de32bb27ae1ae2eb9acf0420e9d0d14bf00","status":"affected","version":"8b7817f3a959ed99d7443afc12f78a7e1fcc2063","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["net/ipv4/icmp.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"2.6.25"},{"lessThan":"2.6.25","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.165","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.128","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.75","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.14","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.4","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.165","versionStartIncluding":"2.6.25","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.128","versionStartIncluding":"2.6.25","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.75","versionStartIncluding":"2.6.25","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.14","versionStartIncluding":"2.6.25","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.4","versionStartIncluding":"2.6.25","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0","versionStartIncluding":"2.6.25","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: fix ip_rt_bug race in icmp_route_lookup reverse path\n\nicmp_route_lookup() performs multiple route lookups to find a suitable\nroute for sending ICMP error messages, with special handling for XFRM\n(IPsec) policies.\n\nThe lookup sequence is:\n1. First, lookup output route for ICMP reply (dst = original src)\n2. Pass through xfrm_lookup() for policy check\n3. If blocked (-EPERM) or dst is not local, enter \"reverse path\"\n4. In reverse path, call xfrm_decode_session_reverse() to get fl4_dec\n   which reverses the original packet's flow (saddr<->daddr swapped)\n5. If fl4_dec.saddr is local (we are the original destination), use\n   __ip_route_output_key() for output route lookup\n6. If fl4_dec.saddr is NOT local (we are a forwarding node), use\n   ip_route_input() to simulate the reverse packet's input path\n7. Finally, pass rt2 through xfrm_lookup() with XFRM_LOOKUP_ICMP flag\n\nThe bug occurs in step 6: ip_route_input() is called with fl4_dec.daddr\n(original packet's source) as destination. If this address becomes local\nbetween the initial check and ip_route_input() call (e.g., due to\nconcurrent \"ip addr add\"), ip_route_input() returns a LOCAL route with\ndst.output set to ip_rt_bug.\n\nThis route is then used for ICMP output, causing dst_output() to call\nip_rt_bug(), triggering a WARN_ON:\n\n ------------[ cut here ]------------\n WARNING: net/ipv4/route.c:1275 at ip_rt_bug+0x21/0x30, CPU#1\n Call Trace:\n  <TASK>\n  ip_push_pending_frames+0x202/0x240\n  icmp_push_reply+0x30d/0x430\n  __icmp_send+0x1149/0x24f0\n  ip_options_compile+0xa2/0xd0\n  ip_rcv_finish_core+0x829/0x1950\n  ip_rcv+0x2d7/0x420\n  __netif_receive_skb_one_core+0x185/0x1f0\n  netif_receive_skb+0x90/0x450\n  tun_get_user+0x3413/0x3fb0\n  tun_chr_write_iter+0xe4/0x220\n  ...\n\nFix this by checking rt2->rt_type after ip_route_input(). If it's\nRTN_LOCAL, the route cannot be used for output, so treat it as an error.\n\nThe reproducer requires kernel modification to widen the race window,\nmaking it unsuitable as a selftest. It is available at:\n\n  https://gist.github.com/mrpre/eae853b72ac6a750f5d45d64ddac1e81"}],"providerMetadata":{"dateUpdated":"2026-05-27T12:17:15.050Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/9a95ec9144eeff1fc6fbcc21b677e322c6f1430b"},{"url":"https://git.kernel.org/stable/c/2c1f59005da9dd4b07b26984fd719e36557dc57c"},{"url":"https://git.kernel.org/stable/c/b04061f89ffc6168e7ec3c71d0086ec3c3797228"},{"url":"https://git.kernel.org/stable/c/1c9ef28f643cce34a6a6c36c8f4d6d60a60db7e1"},{"url":"https://git.kernel.org/stable/c/423ce12d10b426709489d6b84fdaa6d2f31c5652"},{"url":"https://git.kernel.org/stable/c/81b84de32bb27ae1ae2eb9acf0420e9d0d14bf00"}],"title":"xfrm: fix ip_rt_bug race in icmp_route_lookup reverse path","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-45905","datePublished":"2026-05-27T12:17:15.050Z","dateReserved":"2026-05-13T15:03:33.084Z","dateUpdated":"2026-05-27T12:17:15.050Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-27 14:17:04","lastModifiedDate":"2026-05-27 14:48:31","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"45905","Ordinal":"1","Title":"xfrm: fix ip_rt_bug race in icmp_route_lookup reverse path","CVE":"CVE-2026-45905","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"45905","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: fix ip_rt_bug race in icmp_route_lookup reverse path\n\nicmp_route_lookup() performs multiple route lookups to find a suitable\nroute for sending ICMP error messages, with special handling for XFRM\n(IPsec) policies.\n\nThe lookup sequence is:\n1. First, lookup output route for ICMP reply (dst = original src)\n2. Pass through xfrm_lookup() for policy check\n3. If blocked (-EPERM) or dst is not local, enter \"reverse path\"\n4. In reverse path, call xfrm_decode_session_reverse() to get fl4_dec\n   which reverses the original packet's flow (saddr<->daddr swapped)\n5. If fl4_dec.saddr is local (we are the original destination), use\n   __ip_route_output_key() for output route lookup\n6. If fl4_dec.saddr is NOT local (we are a forwarding node), use\n   ip_route_input() to simulate the reverse packet's input path\n7. Finally, pass rt2 through xfrm_lookup() with XFRM_LOOKUP_ICMP flag\n\nThe bug occurs in step 6: ip_route_input() is called with fl4_dec.daddr\n(original packet's source) as destination. If this address becomes local\nbetween the initial check and ip_route_input() call (e.g., due to\nconcurrent \"ip addr add\"), ip_route_input() returns a LOCAL route with\ndst.output set to ip_rt_bug.\n\nThis route is then used for ICMP output, causing dst_output() to call\nip_rt_bug(), triggering a WARN_ON:\n\n ------------[ cut here ]------------\n WARNING: net/ipv4/route.c:1275 at ip_rt_bug+0x21/0x30, CPU#1\n Call Trace:\n  <TASK>\n  ip_push_pending_frames+0x202/0x240\n  icmp_push_reply+0x30d/0x430\n  __icmp_send+0x1149/0x24f0\n  ip_options_compile+0xa2/0xd0\n  ip_rcv_finish_core+0x829/0x1950\n  ip_rcv+0x2d7/0x420\n  __netif_receive_skb_one_core+0x185/0x1f0\n  netif_receive_skb+0x90/0x450\n  tun_get_user+0x3413/0x3fb0\n  tun_chr_write_iter+0xe4/0x220\n  ...\n\nFix this by checking rt2->rt_type after ip_route_input(). If it's\nRTN_LOCAL, the route cannot be used for output, so treat it as an error.\n\nThe reproducer requires kernel modification to widen the race window,\nmaking it unsuitable as a selftest. It is available at:\n\n  https://gist.github.com/mrpre/eae853b72ac6a750f5d45d64ddac1e81","Type":"Description","Title":"xfrm: fix ip_rt_bug race in icmp_route_lookup reverse path"}]}}}