External risk intelligence

Linux kernel could allow internal attacker to bypass network routing security

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-31668

An internal attacker can exploit a flaw in the Linux kernel to bypass established network security controls. This enables them to misdirect traffic, potentially leading to the interception of sensitive data or unauthorized access to restricted network segments.

1Halo Surface Signal

Linux Kernel

4.10.1 to before 5.10.2535.11 to before 5.15.2035.16 to before 6.1.1696.2 to before 6.6.1356.7 to before 6.12.826.13 to before 6.18.236.19 to before 6.19.134.107.0

External exposure likelihood

Halo Surface Signal score for CVE-2026-31668

This vulnerability exists deep within the Linux kernel networking stack, specifically in the segment routing (SRv6) implementation. It is not an internet-facing service, API, or edge application. Successful exploitation requires an attacker to already possess internal network access and specific configuration of SRv6 tunnels, making it highly unlikely to be reachable from the public internet.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This Linux kernel issue could allow an attacker to bypass security checks within the segment routing (SRv6) network feature. By manipulating how the kernel caches network information, an unauthorized party might gain elevated privileges or access restricted data on affected systems.

  • Requires internal network access.
  • Potentially impacts systems using SRv6.
  • Allows bypassing network lookups.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this Linux kernel vulnerability by manipulating network traffic to trick the seg6 LWTunnel into reusing a cached routing entry. This bypasses proper routing lookups, potentially allowing for traffic redirection or other network manipulation. The attacker would need to send crafted packets to a vulnerable system.

  • Requires specific SRv6 configuration.
  • Bypasses destination cache lookup.
  • Allows for traffic manipulation.

Live Threat

Current exploitation, exposure, and threat context

This kernel vulnerability in the Linux seg6 lwtunnel is unlikely to be weaponized by attackers. Its complexity and internal focus mean exploitation requires significant pre-existing access and specific network configurations. Attackers generally favor vulnerabilities that are easier to exploit remotely with broader impact.

  • Deep in kernel networking.
  • Requires specific network setup.
  • Not internet-facing.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching affected Linux kernel versions as soon as possible to address the critical seg6 lwtunnel vulnerability, which could lead to data integrity and availability compromise. If immediate patching isn't feasible, focus on network segmentation and hardening to limit exposure.

  • Patch affected Linux kernel versions.
  • Isolate or restrict access to services using seg6 lwtunnel.
  • Monitor network traffic for anomalous SRv6 behavior.

Frequently asked questions

What is the Linux kernel's seg6 lwtunnel component and its role in network routing?

The seg6 lwtunnel is a component within the Linux kernel's networking stack that manages Segment Routing over IPv6 (SRv6). It enables explicit path control by defining how network packets are encapsulated and routed according to specific SRv6 policies.

What is the nature of CVE-2026-31668 and its impact on the Linux kernel's routing cache?

CVE-2026-31668 is a cache binding vulnerability where the seg6 lwtunnel incorrectly shares a single destination cache for both incoming and outgoing network traffic. This weakness allows one traffic path to populate the cache, which the other path can then reuse without performing its own security checks, leading to potential bypasses.

How can an attacker exploit the Linux kernel's seg6 lwtunnel vulnerability?

An attacker with internal network access could exploit this vulnerability by sending crafted packets to a vulnerable system. This manipulation tricks the seg6 lwtunnel into reusing a cached routing entry, bypassing proper routing lookups and potentially allowing for traffic redirection.

What is the relevance of CVE-2026-31668, considering its internal focus and exploitation difficulty?

This vulnerability's relevance is limited as it exists deep within the Linux kernel's SRv6 implementation and is not internet-facing. Exploitation requires significant pre-existing internal network access and specific SRv6 configurations, making it unlikely to be a target for widespread attacks.

What are the recommended steps to address the Linux kernel's seg6 lwtunnel vulnerability?

The primary recommended action is to patch affected Linux kernel versions to resolve the seg6 lwtunnel vulnerability. If immediate patching is not possible, focus on network segmentation and hardening to limit exposure and monitor network traffic for any unusual SRv6 activity.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified