CVE-2026-45905
published 2026-05-27CVE-2026-45905: In the Linux kernel, the following vulnerability has been resolved: xfrm: fix ip_rt_bug race in icmp_route_lookup reverse path icmp_route_lookup() performs…
medium5.5
In the Linux kernel, the following vulnerability has been resolved:
xfrm: fix ip_rt_bug race in icmp_route_lookup reverse path
icmp_route_lookup() performs multiple route lookups to find a suitable
route for sending ICMP error messages, with special handling for XFRM
(IPsec) policies.
The lookup sequence is:
1. First, lookup output route for ICMP reply (dst = original src)
2. Pass through xfrm_lookup() for policy check
3. If blocked (-EPERM) or dst is not local, enter "reverse path"
4. In reverse path, call xfrm_decode_session_reverse() to get fl4_dec
which reverses the original packet's flow (saddrdaddr swapped)
5. If fl4_dec.saddr is local (we are the original destination), use
__ip_route_output_key() for output route lookup
6. If fl4_dec.saddr is NOT local (we are a forwarding node), use
ip_route_input() to simulate the reverse packet's input path
7. Finally, pass rt2 through xfrm_lookup() with XFRM_LOOKUP_ICMP flag
The bug occurs in step 6: ip_route_input() is called with fl4_dec.daddr
(original packet's source) as destination. If this address becomes local
between the initial check and ip_route_input() call (e.g., due to
concurrent "ip addr add"), ip_route_input() returns a LOCAL route with
dst.output set to ip_rt_bug.
This route is then used for ICMP output, causing dst_output() to call
ip_rt_bug(), triggering a WARN_ON:
------------[ cut here ]------------
WARNING: net/ipv4/route.c:1275 at ip_rt_bug+0x21/0x30, CPU#1
Call Trace:
ip_push_pending_frames+0x202/0x240
icmp_push_reply+0x30d/0x430
__icmp_send+0x1149/0x24f0
ip_options_compile+0xa2/0xd0
ip_rcv_finish_core+0x829/0x1950
ip_rcv+0x2d7/0x420
__netif_receive_skb_one_core+0x185/0x1f0
netif_receive_skb+0x90/0x450
tun_get_user+0x3413/0x3fb0
tun_chr_write_iter+0xe4/0x220
...
Fix this by checking rt2->rt_type after ip_route_input(). If it's
RTN_LOCAL, the route cannot be used for output, so treat it as an error.
The reproducer requires kernel modification to widen the race window,
making it unsuitable as
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux | — | — |
| linux | linux | >= 8b7817f3a959ed99d7443afc12f78a7e1fcc2063 < 9a95ec9144eeff1fc6fbcc21b677e322c6f1430b | 9a95ec9144eeff1fc6fbcc21b677e322c6f1430b |
| linux | linux | >= 8b7817f3a959ed99d7443afc12f78a7e1fcc2063 < 2c1f59005da9dd4b07b26984fd719e36557dc57c | 2c1f59005da9dd4b07b26984fd719e36557dc57c |
| linux | linux | >= 8b7817f3a959ed99d7443afc12f78a7e1fcc2063 < b04061f89ffc6168e7ec3c71d0086ec3c3797228 | b04061f89ffc6168e7ec3c71d0086ec3c3797228 |
| linux | linux | >= 8b7817f3a959ed99d7443afc12f78a7e1fcc2063 < 1c9ef28f643cce34a6a6c36c8f4d6d60a60db7e1 | 1c9ef28f643cce34a6a6c36c8f4d6d60a60db7e1 |
| linux | linux | >= 8b7817f3a959ed99d7443afc12f78a7e1fcc2063 < 423ce12d10b426709489d6b84fdaa6d2f31c5652 | 423ce12d10b426709489d6b84fdaa6d2f31c5652 |
| linux | linux | >= 8b7817f3a959ed99d7443afc12f78a7e1fcc2063 < 81b84de32bb27ae1ae2eb9acf0420e9d0d14bf00 | 81b84de32bb27ae1ae2eb9acf0420e9d0d14bf00 |
| linux | linux_kernel | — | — |