CVE-2026-45905
- Source
- https://cve.org/CVERecord?id=CVE-2026-45905
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-45905.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-45905
- Downstream
- Published
- 2026-05-27T12:17:15.050Z
- Modified
- 2026-05-29T04:03:07.475678934Z
- Summary
- xfrm: fix ip_rt_bug race in icmp_route_lookup reverse path
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
xfrm: fix iprtbug race in icmproutelookup reverse path
icmproutelookup() performs multiple route lookups to find a suitable route for sending ICMP error messages, with special handling for XFRM (IPsec) policies.
The lookup sequence is: 1. First, lookup output route for ICMP reply (dst = original src) 2. Pass through xfrmlookup() for policy check 3. If blocked (-EPERM) or dst is not local, enter "reverse path" 4. In reverse path, call xfrmdecodesessionreverse() to get fl4dec which reverses the original packet's flow (saddr<->daddr swapped) 5. If fl4dec.saddr is local (we are the original destination), use _iprouteoutputkey() for output route lookup 6. If fl4dec.saddr is NOT local (we are a forwarding node), use iprouteinput() to simulate the reverse packet's input path 7. Finally, pass rt2 through xfrmlookup() with XFRMLOOKUPICMP flag
The bug occurs in step 6: iprouteinput() is called with fl4dec.daddr (original packet's source) as destination. If this address becomes local between the initial check and iprouteinput() call (e.g., due to concurrent "ip addr add"), iprouteinput() returns a LOCAL route with dst.output set to iprt_bug.
This route is then used for ICMP output, causing dstoutput() to call iprtbug(), triggering a WARNON:
------------[ cut here ]------------ WARNING: net/ipv4/route.c:1275 at iprtbug+0x21/0x30, CPU#1 Call Trace: <TASK> ippushpendingframes+0x202/0x240 icmppush_reply+0x30d/0x430 __icmpsend+0x1149/0x24f0 ipoptionscompile+0xa2/0xd0 iprcvfinishcore+0x829/0x1950 ip_rcv+0x2d7/0x420 _netifreceiveskbonecore+0x185/0x1f0 netifreceiveskb+0x90/0x450 tungetuser+0x3413/0x3fb0 tunchrwriteiter+0xe4/0x220 ...
Fix this by checking rt2->rttype after iprouteinput(). If it's RTNLOCAL, the route cannot be used for output, so treat it as an error.
The reproducer requires kernel modification to widen the race window, making it unsuitable as a selftest. It is available at:
https://gist.github.com/mrpre/eae853b72ac6a750f5d45d64ddac1e81
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45905.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/stable/c/1c9ef28f643cce34a6a6c36c8f4d6d60a60db7e1
- https://git.kernel.org/stable/c/2c1f59005da9dd4b07b26984fd719e36557dc57c
- https://git.kernel.org/stable/c/423ce12d10b426709489d6b84fdaa6d2f31c5652
- https://git.kernel.org/stable/c/81b84de32bb27ae1ae2eb9acf0420e9d0d14bf00
- https://git.kernel.org/stable/c/9a95ec9144eeff1fc6fbcc21b677e322c6f1430b
- https://git.kernel.org/stable/c/b04061f89ffc6168e7ec3c71d0086ec3c3797228
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45905.json
- https://nvd.nist.gov/vuln/detail/CVE-2026-45905
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced8b7817f3a959ed99d7443afc12f78a7e1fcc2063Fixed9a95ec9144eeff1fc6fbcc21b677e322c6f1430bFixed2c1f59005da9dd4b07b26984fd719e36557dc57cFixedb04061f89ffc6168e7ec3c71d0086ec3c3797228Fixed1c9ef28f643cce34a6a6c36c8f4d6d60a60db7e1Fixed423ce12d10b426709489d6b84fdaa6d2f31c5652Fixed81b84de32bb27ae1ae2eb9acf0420e9d0d14bf00