CVE-2026-53221

ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup()

Assigner: Linux
Reserved: 09.06.2026 Published: 25.06.2026 Updated: 25.06.2026

In the Linux kernel, the following vulnerability has been resolved:

ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup()

In vti6_tnl_lookup(), when an exact match for a tunnel fails, the code falls back to searching for wildcard tunnels:

Tunnels matching the packet's local address, with any remote address wildcard remote).
Tunnels matching the packet's remote address, with any local address (wildcard local).

However, vti6 stores all these different types of tunnels in the same hash table (ip6n->tnls_r_l) prone to hash collisions.

The bug is that the fallback search loops in vti6_tnl_lookup() were missing checks to ensure that the candidate tunnel actually has a wildcard address.

Product Status

Vendor	Linux
Product	Linux
Versions	Default: unaffected affected from fbe68ee87522f6eaa10f9076c0a7117e1613f2f7 to c327fa4fca31415431202e063767a7ae342e19c6 (excl.) affected from fbe68ee87522f6eaa10f9076c0a7117e1613f2f7 to fc657ac0767c49839b3ef0b08dc0953ca30883f8 (excl.) affected from fbe68ee87522f6eaa10f9076c0a7117e1613f2f7 to 47fb3c2b4203556308e64354b3e78f2ce221d646 (excl.) affected from fbe68ee87522f6eaa10f9076c0a7117e1613f2f7 to f513f308cc4bdb4530d033431592ffbc29b7fca1 (excl.) affected from fbe68ee87522f6eaa10f9076c0a7117e1613f2f7 to 90fd4513315ca07da99cfd8549d3e553a7160f0d (excl.) affected from fbe68ee87522f6eaa10f9076c0a7117e1613f2f7 to 2abfb19bbb81958714ad1d43ebeb65b30394184b (excl.) affected from fbe68ee87522f6eaa10f9076c0a7117e1613f2f7 to 2fc7bc087cc7085368263d9d37bfe9a0bddd6a2d (excl.) affected from fbe68ee87522f6eaa10f9076c0a7117e1613f2f7 to a5c0359f5cbc51a2e2b114d6041e0f3c73f903e9 (excl.)

Vendor

Linux

Product

Linux

Versions

Default: unaffected

affected from fbe68ee87522f6eaa10f9076c0a7117e1613f2f7 to c327fa4fca31415431202e063767a7ae342e19c6 (excl.)
affected from fbe68ee87522f6eaa10f9076c0a7117e1613f2f7 to fc657ac0767c49839b3ef0b08dc0953ca30883f8 (excl.)
affected from fbe68ee87522f6eaa10f9076c0a7117e1613f2f7 to 47fb3c2b4203556308e64354b3e78f2ce221d646 (excl.)
affected from fbe68ee87522f6eaa10f9076c0a7117e1613f2f7 to f513f308cc4bdb4530d033431592ffbc29b7fca1 (excl.)
affected from fbe68ee87522f6eaa10f9076c0a7117e1613f2f7 to 90fd4513315ca07da99cfd8549d3e553a7160f0d (excl.)
affected from fbe68ee87522f6eaa10f9076c0a7117e1613f2f7 to 2abfb19bbb81958714ad1d43ebeb65b30394184b (excl.)
affected from fbe68ee87522f6eaa10f9076c0a7117e1613f2f7 to 2fc7bc087cc7085368263d9d37bfe9a0bddd6a2d (excl.)
affected from fbe68ee87522f6eaa10f9076c0a7117e1613f2f7 to a5c0359f5cbc51a2e2b114d6041e0f3c73f903e9 (excl.)

Vendor	Linux
Product	Linux
Versions	Default: affected Version 3.19 is affected unaffected from 0 to 3.19 (excl.) unaffected from 5.10.259 to 5.10.* (incl.) unaffected from 5.15.210 to 5.15.* (incl.) unaffected from 6.1.176 to 6.1.* (incl.) unaffected from 6.6.143 to 6.6.* (incl.) unaffected from 6.12.94 to 6.12.* (incl.) unaffected from 6.18.36 to 6.18.* (incl.) unaffected from 7.0.13 to 7.0.* (incl.) unaffected from 7.1 to * (incl.)

Vendor

Linux

Product

Linux

Versions

Default: affected

Version 3.19 is affected
unaffected from 0 to 3.19 (excl.)
unaffected from 5.10.259 to 5.10.* (incl.)
unaffected from 5.15.210 to 5.15.* (incl.)
unaffected from 6.1.176 to 6.1.* (incl.)
unaffected from 6.6.143 to 6.6.* (incl.)
unaffected from 6.12.94 to 6.12.* (incl.)
unaffected from 6.18.36 to 6.18.* (incl.)
unaffected from 7.0.13 to 7.0.* (incl.)
unaffected from 7.1 to * (incl.)

References

CVE-2026-53221 PUBLISHED

ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup()

Product Status

References