CVE-2026-46260 Overview
CVE-2026-46260 is an out-of-bounds read vulnerability in the Linux kernel's IPv6 networking subsystem. The flaw resides in the fib6_add_rt2node() function within net/ipv6/ip6_fib.c. When an IPv6 route is created with RTA_NH_ID, the resulting struct fib6_info does not include the trailing struct fib6_nh. A prior commit introduced a check on !iter->fib6_nh->fib_nh_gw_family without first validating that iter->nh was NULL, causing reads past the end of the allocated object. The condition was identified by syzbot through KASAN slab-out-of-bounds reporting during IPv6 route insertion via netlink.
Critical Impact
A local user with the ability to send netlink messages to add IPv6 routes can trigger a kernel out-of-bounds read, leading to potential information disclosure or kernel instability.
Affected Products
- Linux kernel IPv6 stack (net/ipv6/ip6_fib.c)
- Kernel branches containing the regression prior to commits 03b5051, 500e546, 8244f95, bcc60ad1, and bf5009a0
- Distributions shipping affected upstream kernel versions
Discovery Timeline
- 2026-06-03 - CVE-2026-46260 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-46260
Vulnerability Analysis
The vulnerability is an out-of-bounds read [CWE-125] in the IPv6 Forwarding Information Base (FIB) code path. The fib6_add_rt2node() function evaluates iter->fib6_nh->fib_nh_gw_family as part of ECMP qualification logic. When the route entry was created with the RTA_NH_ID netlink attribute, the kernel allocates a struct fib6_info without the trailing struct fib6_nh member. Dereferencing iter->fib6_nh then reads memory beyond the allocated slab object.
KASAN detected a slab-out-of-bounds read of size 1 at offset ffff8880384ba6de. The faulting call chain proceeds from sendmsg() through rtnetlink_rcv_msg(), inet6_rtm_newroute(), ip6_route_add(), __ip6_ins_rt(), fib6_add(), and into fib6_add_rt2node() at line 1142.
Root Cause
The cited commit added an ECMP qualification check that unconditionally dereferences iter->fib6_nh. When iter->nh is non-NULL, rt6_qualify_for_ecmp() would return false regardless, but the optimization read the trailing structure before validating the nexthop pointer. Because fib6_info_alloc() (called from ip6_route_info_create()) only appends struct fib6_nh when no nexthop ID is supplied, the read overruns the kmalloc'd buffer.
Attack Vector
The attack requires the ability to send RTM_NEWROUTE netlink messages with the RTA_NH_ID attribute. This typically requires CAP_NET_ADMIN within a user or network namespace. Unprivileged users in environments allowing user namespace creation can reach the vulnerable path. Successful triggering causes adjacent slab memory to be read into kernel logic, which may leak data or destabilize the FIB.
The upstream fix adds a check for iter->nh prior to evaluating iter->fib6_nh->fib_nh_gw_family, short-circuiting the comparison when a nexthop object is attached.
Detection Methods for CVE-2026-46260
Indicators of Compromise
- KASAN reports referencing slab-out-of-bounds in fib6_add_rt2node in kernel logs (dmesg, /var/log/kern.log)
- Unexpected kernel panics or warnings originating from net/ipv6/ip6_fib.c:1142
- Audit records showing RTM_NEWROUTE netlink messages carrying RTA_NH_ID from non-administrative workloads
Detection Strategies
- Enable KASAN on test and pre-production kernels to surface the read at runtime
- Monitor netlink socket activity for processes invoking sendmsg() with AF_NETLINK family NETLINK_ROUTE and route attributes containing RTA_NH_ID
- Track kernel oops and warning events from the IPv6 FIB code paths using a centralized log pipeline
Monitoring Recommendations
- Forward dmesg and auditd records to a SIEM and alert on KASAN signatures matching fib6_add_rt2node
- Inventory kernel versions across Linux fleets and flag hosts running builds prior to the upstream stable commits listed in the references
- Correlate route modification syscalls with the originating container, namespace, and user context for anomaly review
How to Mitigate CVE-2026-46260
Immediate Actions Required
- Apply the upstream stable kernel patches referenced by commits 03b5051e02f5, 500e54615c97, 8244f959e2c1, bcc60ad129ae, and bf5009a06e03
- Rebuild or update distribution kernels once vendor packages incorporating the fix become available
- Restrict unprivileged user namespace creation where business requirements allow
Patch Information
The fix relocates the iter->nh validation ahead of the iter->fib6_nh->fib_nh_gw_family read in fib6_add_rt2node(), eliminating the out-of-bounds access. Patch details are available in the upstream stable tree via the Kernel Git Commit 03b5051, Kernel Git Commit 500e546, Kernel Git Commit 8244f95, Kernel Git Commit bcc60ad1, and Kernel Git Commit bf5009a0.
Workarounds
- Disable IPv6 on hosts where IPv6 routing is not required: sysctl -w net.ipv6.conf.all.disable_ipv6=1
- Limit CAP_NET_ADMIN to trusted administrators and avoid granting it to container workloads
- Set kernel.unprivileged_userns_clone=0 to prevent unprivileged users from obtaining network namespace privileges
# Configuration example
sysctl -w kernel.unprivileged_userns_clone=0
sysctl -w net.ipv6.conf.all.disable_ipv6=1
sysctl -w net.ipv6.conf.default.disable_ipv6=1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
