CVE-2026-31668 Overview
CVE-2026-31668 is a Linux kernel vulnerability in the Segment Routing IPv6 (SRv6) seg6 lightweight tunnel (lwtunnel) implementation. The flaw stems from a shared dst_cache structure used by both the input and output encapsulation paths. The functions seg6_input_core() and seg6_output_core() may evaluate post-encapsulation Segment Identifier (SID) lookups under different routing contexts, such as ingress-interface ip rules or Virtual Routing and Forwarding (VRF) tables. Whichever path executes first populates the cache, and the other path reuses the cached destination without performing its own lookup.
Critical Impact
Network traffic traversing SRv6 tunnels can be routed through unintended paths, bypassing VRF separation and policy routing controls.
Affected Products
- Linux Kernel (mainline branches introducing seg6 lwtunnel support from 4.10 onward)
- Linux Kernel 7.0 release candidates (rc1 through rc7)
- Distributions shipping affected stable kernel branches prior to the referenced fix commits
Discovery Timeline
- 2026-04-24 - CVE-2026-31668 published to NVD
- 2026-04-27 - Last updated in NVD database
Technical Details for CVE-2026-31668
Vulnerability Analysis
The seg6 lwtunnel subsystem implements SRv6 encapsulation for IPv6 packets traversing Linux routers. Each encap route allocates a single dst_cache instance to memoize the resolved destination after segment routing header insertion. This cache is consulted on both ingress-side encapsulation through seg6_input_core() and egress-side encapsulation through seg6_output_core().
The two code paths can resolve the post-encap SID against different Forwarding Information Base (FIB) tables. Policy-based routing rules matching on the ingress interface, or per-VRF table separation, produce divergent next-hop selections depending on which path performs the lookup. The shared cache treats both paths as equivalent and returns the first cached dst_entry to subsequent callers regardless of context.
Root Cause
The root cause is a single dst_cache field on the seg6 lwtunnel state structure shared between asymmetric routing contexts. Cache population is path-agnostic, but consumption is path-sensitive. The fix splits the field into cache_input and cache_output, allowing each path to maintain an independent cached destination. The classification falls under improper isolation of routing state [CWE-NVD-noinfo].
Attack Vector
An attacker positioned on the network can send crafted IPv6 traffic to a router configured with seg6 lwtunnel encapsulation. By influencing which path primes the cache first, the attacker can cause subsequent packets to follow a routing decision that should not apply to them. This can bypass VRF isolation, leak traffic between tenant networks, or route packets around access controls implemented through ip rules. The exploitation requires no authentication and no user interaction.
No verified public proof-of-concept code is available. The vulnerability mechanism is described in the upstream commit messages referenced in Kernel Commit fb56de5 and related backports.
Detection Methods for CVE-2026-31668
Indicators of Compromise
- Unexpected IPv6 packets appearing in VRF tables or namespaces that should be isolated from seg6-encapsulated flows
- Routing decisions for SRv6 traffic that do not match the expected ip rule or VRF policy for the originating interface
- Anomalous neighbor cache entries on routers participating in SRv6 segment routing
Detection Strategies
- Compare kernel version output from uname -r against the fixed commit hashes published on git.kernel.org to identify unpatched hosts
- Audit nodes with ip -6 route show filtered for encap seg6 routes and verify their routing context behavior matches policy expectations
- Correlate netfilter and conntrack logs against expected VRF boundaries to identify cross-context packet leakage
Monitoring Recommendations
- Enable kernel audit logging for changes to seg6 lwtunnel routes and VRF assignments
- Monitor IPv6 flow telemetry from routers performing SRv6 encapsulation for traffic appearing in unexpected egress interfaces
- Track kernel build metadata across the fleet to confirm rollout of stable kernel updates containing the dst_cache split
How to Mitigate CVE-2026-31668
Immediate Actions Required
- Apply the upstream stable kernel update containing the cache_input and cache_output split as soon as vendor packages are available
- Inventory all Linux routers and hosts using SRv6 segment routing with ip -6 route show type unicast | grep seg6 and prioritize patching
- Where patching is delayed, restrict administrative access to routers configured with seg6 lwtunnel to trusted operators only
Patch Information
The fix is distributed across multiple stable branches. Reference commits include Kernel Commit 17d87d4, Kernel Commit 1dec91d, Kernel Commit 57d0374, Kernel Commit 6305ad0, Kernel Commit 750569d, Kernel Commit 84d4580, Kernel Commit c381265, and Kernel Commit fb56de5. Update to the corresponding stable release for your kernel branch.
Workarounds
- Disable seg6 lwtunnel encapsulation on affected routers where SRv6 is not operationally required, using sysctl net.ipv6.conf.all.seg6_enabled=0
- Avoid configurations that combine seg6 encap routes with VRF tables or ingress-interface ip rules until the kernel is patched
- Where SRv6 must remain enabled, simplify the post-encap routing context so input and output paths resolve to identical next hops
# Verify kernel version and seg6 status on affected hosts
uname -r
sysctl net.ipv6.conf.all.seg6_enabled
ip -6 route show | grep -E 'encap seg6'
# Temporary mitigation: disable seg6 if not required
sysctl -w net.ipv6.conf.all.seg6_enabled=0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

