Improper input validation in Linux kernel - CVE-2026-53221

 

Improper input validation in Linux kernel - CVE-2026-53221

Published: June 26, 2026


Vulnerability identifier: #VU135570
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-53221
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel

Detailed vulnerability description

The vulnerability allows a remote attacker to cause traffic to be associated with the wrong tunnel.

The vulnerability exists due to improper input validation in vti6_tnl_lookup() when matching IPv6 VTI tunnels during fallback wildcard tunnel searches. A remote attacker can send network traffic that triggers a hash collision and incorrect tunnel selection to cause traffic to be associated with the wrong tunnel.

The issue occurs because candidate tunnels in the fallback search were not verified to actually use wildcard local or remote addresses.


How to mitigate CVE-2026-53221

Install security update from vendor's repository.

Sources