CVE-2026-46172 Overview
CVE-2026-46172 is a memory leak vulnerability in the Linux kernel's IPv6 transformation (xfrm6) subsystem. The flaw resides in the xfrm6_rcv_encap() function, which handles encapsulated IPv6 packets within the IPsec processing path. When the function performs an IPv6 route lookup via ip6_route_input_lookup(), the returned destination entry (dst) is not properly released when the lookup resolves to an error route. Each packet traversing this error path leaks a referenced dst entry, gradually exhausting kernel memory resources on systems processing IPv6 IPsec traffic.
Critical Impact
Repeated packets hitting the error path leak dst entries, leading to kernel resource exhaustion and potential denial of service on affected Linux systems.
Affected Products
- Linux kernel (mainline) — IPv6 xfrm6 subsystem
- Linux stable kernel branches referenced by upstream fix commits
- Distributions shipping vulnerable kernel versions with IPv6 IPsec enabled
Discovery Timeline
- 2026-05-28 - CVE-2026-46172 published to NVD
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-46172
Vulnerability Analysis
The vulnerability exists in the IPv6 transformation receive path used by IPsec. The xfrm6_rcv_encap() function performs an IPv6 route lookup when the socket buffer (skb) does not already have a destination entry attached. The lookup helper ip6_route_input_lookup() returns a referenced dst entry even when the resolved route represents an error condition.
When dst->error is set, the function drops the skb without attaching the dst and without releasing the reference returned by the lookup. Each packet that reaches this drop path leaks one referenced dst entry. An attacker capable of sending crafted IPv6 packets that consistently resolve to error routes can force repeated invocations of this leaking path, gradually exhausting kernel memory tied to routing cache entries.
Root Cause
The root cause is a reference-counting error [CWE-401] in the error-handling branch of xfrm6_rcv_encap(). The function takes ownership of the dst reference from ip6_route_input_lookup() but fails to call the corresponding release routine before jumping to the drop label. This produces a classic acquire-without-release pattern on the routing entry reference.
Attack Vector
An attacker on a network path can transmit IPv6 packets crafted to trigger error route resolution within the xfrm6 receive path. Sustained traffic against an affected host steadily increases the count of orphaned dst references. Over time, this consumes kernel memory and can degrade system performance or cause routing subsystem failures.
The vulnerability is described in prose because no verified public exploitation code is available. Refer to the upstream fix commits for the exact code path and corrected logic:
- Kernel patch 9d5047782f9b
- Kernel patch c2efc4956981
- Kernel patch 554c9b090c8a
- Kernel patch 6a5eec0a2a0e
- Kernel patch bc0fcb9823cd
Detection Methods for CVE-2026-46172
Indicators of Compromise
- Steadily increasing kernel memory consumption attributable to routing or dst cache slabs over hours or days.
- Unusual volumes of IPv6 traffic targeting hosts with IPsec/xfrm6 configured for IPv6 transport or tunnel mode.
- Kernel log entries or dmesg output reporting memory pressure, slab allocation failures, or OOM events on IPsec gateways.
Detection Strategies
- Monitor slab allocations for ip6_dst_cache using /proc/slabinfo and alert on sustained unbounded growth.
- Correlate IPv6 ingress packet rates on IPsec interfaces with kernel memory utilization to identify abnormal growth patterns.
- Verify the running kernel version against the fixed commits listed in the upstream stable tree references.
Monitoring Recommendations
- Track host-level memory metrics with thresholds tuned to detect slow leaks rather than only acute exhaustion events.
- Capture and review IPv6 routing table changes and unreachable-route events on hosts terminating IPsec tunnels.
- Forward kernel logs to a centralized analytics platform for longitudinal review of slab and memory warnings.
How to Mitigate CVE-2026-46172
Immediate Actions Required
- Identify Linux hosts running IPv6 IPsec (xfrm6) workloads, particularly IPsec gateways and VPN concentrators.
- Apply the upstream stable kernel update that releases the dst reference before the drop path in xfrm6_rcv_encap().
- Reboot updated systems to ensure the patched kernel is active and the leaking path is no longer reachable.
Patch Information
The fix releases the referenced dst entry before jumping to the drop path, eliminating the reference leak. The corrected logic is distributed across multiple stable branches via the commits 554c9b090c8a, 6a5eec0a2a0e, 9d5047782f9b, bc0fcb9823cd, and c2efc4956981. Distribution maintainers will incorporate these commits into security-maintained kernel packages.
Workarounds
- Where IPv6 IPsec is not required, disable xfrm6 processing or restrict IPv6 ingress on affected interfaces.
- Apply ingress filtering at network boundaries to drop IPv6 packets destined for non-routable or error-resolved addresses.
- Schedule periodic reboots of affected hosts as a short-term measure until the kernel patch is deployed.
# Verify kernel version and check for the fix commits in your distribution
uname -r
# Example: query installed kernel package metadata (Debian/Ubuntu)
apt-cache policy linux-image-$(uname -r)
# Example: query installed kernel package metadata (RHEL/CentOS/Fedora)
rpm -q --changelog kernel | grep -i xfrm6_rcv_encap
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
