Skip to content
Threat Feed
medium advisory

CVE-2026-46172 Vulnerability in IPv6 xfrm6_rcv_encap()

CVE-2026-46172 is a vulnerability related to ipv6: xfrm6: release dst on error in xfrm6_rcv_encap(), potentially leading to a denial-of-service condition.

CVE-2026-46172 is a reported vulnerability impacting the IPv6 implementation related to the xfrm6_rcv_encap() function. The specific details of the vulnerability are not described in the provided source, but the title indicates it involves releasing the destination (dst) on error within the xfrm6_rcv_encap() function. This type of error could lead to a denial-of-service if an attacker can trigger the error condition repeatedly. More information is needed to understand the full scope and impact of this vulnerability. Defenders should monitor for unusual activity involving IPv6 traffic and consider applying any available patches or mitigations.

Attack Chain

Due to the limited information, a detailed attack chain cannot be constructed. However, a general attack chain based on the vulnerability description can be proposed:

  1. An attacker crafts a malicious IPv6 packet.
  2. The packet is sent to a vulnerable system.
  3. The system processes the packet and calls the xfrm6_rcv_encap() function.
  4. An error condition is triggered within xfrm6_rcv_encap().
  5. The destination (dst) is released prematurely due to the error.
  6. Subsequent packets relying on the released destination may cause a crash.
  7. Repeated triggering of the vulnerability leads to a denial-of-service.

Impact

Successful exploitation of CVE-2026-46172 could lead to a denial-of-service (DoS) condition. The lack of specific details limits the ability to determine the scope and severity of the impact. Further analysis is required to assess the potential for remote code execution or other more severe consequences. The number of affected systems and sectors is unknown.

Recommendation

  • Investigate and apply any available patches or mitigations for CVE-2026-46172 from Microsoft.
  • Monitor IPv6 traffic for unusual patterns or malformed packets that could trigger the vulnerability.
  • Deploy the Sigma rule to detect potential exploitation attempts targeting CVE-2026-46172.
  • Enable detailed logging of IPv6 traffic to facilitate investigation of potential exploitation attempts.

Detection coverage 2

Detect CVE-2026-46172 Attempt - Malformed IPv6 Packet

medium

Detects CVE-2026-46172 exploitation attempt - Monitors for malformed IPv6 packets that might trigger the xfrm6_rcv_encap() vulnerability.

sigma tactics: denial_of_service techniques: T1499.004 sources: network_connection, linux

Detect CVE-2026-46172 Attempt - Excessive XFRM Errors

medium

Detects CVE-2026-46172 exploitation attempt - Monitors for excessive XFRM-related errors in system logs, potentially indicating exploitation attempts.

sigma tactics: denial_of_service techniques: T1499.004 sources: system, linux

Detection queries are available on the platform. Get full rules →