{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-45905", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-05-13T15:03:33.084Z", "datePublished": "2026-05-27T12:17:15.050Z", "dateUpdated": "2026-05-27T12:17:15.050Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-27T12:17:15.050Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: fix ip_rt_bug race in icmp_route_lookup reverse path\n\nicmp_route_lookup() performs multiple route lookups to find a suitable\nroute for sending ICMP error messages, with special handling for XFRM\n(IPsec) policies.\n\nThe lookup sequence is:\n1. First, lookup output route for ICMP reply (dst = original src)\n2. Pass through xfrm_lookup() for policy check\n3. If blocked (-EPERM) or dst is not local, enter \"reverse path\"\n4. In reverse path, call xfrm_decode_session_reverse() to get fl4_dec\n which reverses the original packet's flow (saddr<->daddr swapped)\n5. If fl4_dec.saddr is local (we are the original destination), use\n __ip_route_output_key() for output route lookup\n6. If fl4_dec.saddr is NOT local (we are a forwarding node), use\n ip_route_input() to simulate the reverse packet's input path\n7. Finally, pass rt2 through xfrm_lookup() with XFRM_LOOKUP_ICMP flag\n\nThe bug occurs in step 6: ip_route_input() is called with fl4_dec.daddr\n(original packet's source) as destination. If this address becomes local\nbetween the initial check and ip_route_input() call (e.g., due to\nconcurrent \"ip addr add\"), ip_route_input() returns a LOCAL route with\ndst.output set to ip_rt_bug.\n\nThis route is then used for ICMP output, causing dst_output() to call\nip_rt_bug(), triggering a WARN_ON:\n\n ------------[ cut here ]------------\n WARNING: net/ipv4/route.c:1275 at ip_rt_bug+0x21/0x30, CPU#1\n Call Trace:\n <TASK>\n ip_push_pending_frames+0x202/0x240\n icmp_push_reply+0x30d/0x430\n __icmp_send+0x1149/0x24f0\n ip_options_compile+0xa2/0xd0\n ip_rcv_finish_core+0x829/0x1950\n ip_rcv+0x2d7/0x420\n __netif_receive_skb_one_core+0x185/0x1f0\n netif_receive_skb+0x90/0x450\n tun_get_user+0x3413/0x3fb0\n tun_chr_write_iter+0xe4/0x220\n ...\n\nFix this by checking rt2->rt_type after ip_route_input(). If it's\nRTN_LOCAL, the route cannot be used for output, so treat it as an error.\n\nThe reproducer requires kernel modification to widen the race window,\nmaking it unsuitable as a selftest. It is available at:\n\n https://gist.github.com/mrpre/eae853b72ac6a750f5d45d64ddac1e81"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ipv4/icmp.c"], "versions": [{"version": "8b7817f3a959ed99d7443afc12f78a7e1fcc2063", "lessThan": "9a95ec9144eeff1fc6fbcc21b677e322c6f1430b", "status": "affected", "versionType": "git"}, {"version": "8b7817f3a959ed99d7443afc12f78a7e1fcc2063", "lessThan": "2c1f59005da9dd4b07b26984fd719e36557dc57c", "status": "affected", "versionType": "git"}, {"version": "8b7817f3a959ed99d7443afc12f78a7e1fcc2063", "lessThan": "b04061f89ffc6168e7ec3c71d0086ec3c3797228", "status": "affected", "versionType": "git"}, {"version": "8b7817f3a959ed99d7443afc12f78a7e1fcc2063", "lessThan": "1c9ef28f643cce34a6a6c36c8f4d6d60a60db7e1", "status": "affected", "versionType": "git"}, {"version": "8b7817f3a959ed99d7443afc12f78a7e1fcc2063", "lessThan": "423ce12d10b426709489d6b84fdaa6d2f31c5652", "status": "affected", "versionType": "git"}, {"version": "8b7817f3a959ed99d7443afc12f78a7e1fcc2063", "lessThan": "81b84de32bb27ae1ae2eb9acf0420e9d0d14bf00", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ipv4/icmp.c"], "versions": [{"version": "2.6.25", "status": "affected"}, {"version": "0", "lessThan": "2.6.25", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.165", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.128", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.75", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.14", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.4", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.25", "versionEndExcluding": "6.1.165"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.25", "versionEndExcluding": "6.6.128"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.25", "versionEndExcluding": "6.12.75"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.25", "versionEndExcluding": "6.18.14"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.25", "versionEndExcluding": "6.19.4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.25", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/9a95ec9144eeff1fc6fbcc21b677e322c6f1430b"}, {"url": "https://git.kernel.org/stable/c/2c1f59005da9dd4b07b26984fd719e36557dc57c"}, {"url": "https://git.kernel.org/stable/c/b04061f89ffc6168e7ec3c71d0086ec3c3797228"}, {"url": "https://git.kernel.org/stable/c/1c9ef28f643cce34a6a6c36c8f4d6d60a60db7e1"}, {"url": "https://git.kernel.org/stable/c/423ce12d10b426709489d6b84fdaa6d2f31c5652"}, {"url": "https://git.kernel.org/stable/c/81b84de32bb27ae1ae2eb9acf0420e9d0d14bf00"}], "title": "xfrm: fix ip_rt_bug race in icmp_route_lookup reverse path", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: fix ip_rt_bug race in icmp_route_lookup reverse path\n\nicmp_route_lookup() performs multiple route lookups to find a suitable\nroute for sending ICMP error messages, with special handling for XFRM\n(IPsec) policies.\n\nThe lookup sequence is:\n1. First, lookup output route for ICMP reply (dst = original src)\n2. Pass through xfrm_lookup() for policy check\n3. If blocked (-EPERM) or dst is not local, enter \"reverse path\"\n4. In reverse path, call xfrm_decode_session_reverse() to get fl4_dec\n which reverses the original packet's flow (saddr<->daddr swapped)\n5. If fl4_dec.saddr is local (we are the original destination), use\n __ip_route_output_key() for output route lookup\n6. If fl4_dec.saddr is NOT local (we are a forwarding node), use\n ip_route_input() to simulate the reverse packet's input path\n7. Finally, pass rt2 through xfrm_lookup() with XFRM_LOOKUP_ICMP flag\n\nThe bug occurs in step 6: ip_route_input() is called with fl4_dec.daddr\n(original packet's source) as destination. If this address becomes local\nbetween the initial check and ip_route_input() call (e.g., due to\nconcurrent \"ip addr add\"), ip_route_input() returns a LOCAL route with\ndst.output set to ip_rt_bug.\n\nThis route is then used for ICMP output, causing dst_output() to call\nip_rt_bug(), triggering a WARN_ON:\n\n ------------[ cut here ]------------\n WARNING: net/ipv4/route.c:1275 at ip_rt_bug+0x21/0x30, CPU#1\n Call Trace:\n <TASK>\n ip_push_pending_frames+0x202/0x240\n icmp_push_reply+0x30d/0x430\n __icmp_send+0x1149/0x24f0\n ip_options_compile+0xa2/0xd0\n ip_rcv_finish_core+0x829/0x1950\n ip_rcv+0x2d7/0x420\n __netif_receive_skb_one_core+0x185/0x1f0\n netif_receive_skb+0x90/0x450\n tun_get_user+0x3413/0x3fb0\n tun_chr_write_iter+0xe4/0x220\n ...\n\nFix this by checking rt2->rt_type after ip_route_input(). If it's\nRTN_LOCAL, the route cannot be used for output, so treat it as an error.\n\nThe reproducer requires kernel modification to widen the race window,\nmaking it unsuitable as a selftest. It is available at:\n\n https://gist.github.com/mrpre/eae853b72ac6a750f5d45d64ddac1e81"}], "id": "CVE-2026-45905", "lastModified": "2026-05-27T14:48:31.480", "metrics": {}, "published": "2026-05-27T14:17:04.993", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1c9ef28f643cce34a6a6c36c8f4d6d60a60db7e1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2c1f59005da9dd4b07b26984fd719e36557dc57c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/423ce12d10b426709489d6b84fdaa6d2f31c5652"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/81b84de32bb27ae1ae2eb9acf0420e9d0d14bf00"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9a95ec9144eeff1fc6fbcc21b677e322c6f1430b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b04061f89ffc6168e7ec3c71d0086ec3c3797228"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{}

{}