Bug 2482614 (CVE-2026-46120) - CVE-2026-46120 kernel: ip6_gre: Use cached t->net in ip6erspan_changelink()
Summary: CVE-2026-46120 kernel: ip6_gre: Use cached t->net in ip6erspan_changelink()
Keywords:
Status: NEW
Alias: CVE-2026-46120
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-28 11:05 UTC by OSIDB Bzimport
Modified: 2026-05-28 18:15 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-28 11:05:54 UTC 
In the Linux kernel, the following vulnerability has been resolved:

ip6_gre: Use cached t->net in ip6erspan_changelink().

After commit 5e72ce3e3980 ("net: ipv6: Use link netns in newlink() of
rtnl_link_ops"), ip6erspan_newlink() correctly resolves the per-netns
ip6gre hash via link_net. ip6erspan_changelink() was not converted in
that series and still uses dev_net(dev), which diverges from the
device's creation netns after IFLA_NET_NS_FD migration.

This re-inserts the tunnel into the wrong per-netns hash. The
original netns keeps a stale entry. When that netns is later
destroyed, ip6gre_exit_rtnl_net() walks the stale entry, producing a
slab-use-after-free reported by KASAN, followed by a kernel BUG at
net/core/dev.c (LIST_POISON1) in unregister_netdevice_many_notify().

Reachable from an unprivileged user namespace (unshare --user
--map-root-user --net).

ip6gre_changelink() earlier in the same file already uses the cached
t->net; only ip6erspan_changelink() has the wrong shape.
Comment 1 Keith Grant 2026-05-28 18:14:20 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026052815-CVE-2026-46120-1a01@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.