// vulnerability record
cached · NVD via COSMOS syncCVE-2026-53221
CRITICALpublished 2026-06-25 09:16 UTC · 3 days ago · modified 2026-06-28 08:16 UTC
// description
In the Linux kernel, the following vulnerability has been resolved: ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup() In vti6_tnl_lookup(), when an exact match for a tunnel fails, the code falls back to searching for wildcard tunnels: - Tunnels matching the packet's local address, with any remote address wildcard remote). - Tunnels matching the packet's remote address, with any local address (wildcard local). However, vti6 stores all these different types of tunnels in the same hash table (ip6n->tnls_r_l) prone to hash collisions. The bug is that the fallback search loops in vti6_tnl_lookup() were missing checks to ensure that the candidate tunnel actually has a wildcard address.
// cvss 3.1 vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
// references (8)
- https://git.kernel.org/stable/c/2abfb19bbb81958714ad1d43ebeb65b30394184b
- https://git.kernel.org/stable/c/2fc7bc087cc7085368263d9d37bfe9a0bddd6a2d
- https://git.kernel.org/stable/c/47fb3c2b4203556308e64354b3e78f2ce221d646
- https://git.kernel.org/stable/c/90fd4513315ca07da99cfd8549d3e553a7160f0d
- https://git.kernel.org/stable/c/a5c0359f5cbc51a2e2b114d6041e0f3c73f903e9