CVE-2026-31415

EUVD-2026-21934

13.04.2026, 14:16

In the Linux kernel, the following vulnerability has been resolved:

ipv6: avoid overflows in ip6_datagram_send_ctl()

Yiming Qian reported :
<quote>
 I believe I found a locally triggerable kernel bug in the IPv6 sendmsg
 ancillary-data path that can panic the kernel via `skb_under_panic()`
 (local DoS).

 The core issue is a mismatch between:

 - a 16-bit length accumulator (`struct ipv6_txoptions::opt_flen`, type
 `__u16`) and
 - a pointer to the *last* provided destination-options header (`opt->dst1opt`)

 when multiple `IPV6_DSTOPTS` control messages (cmsgs) are provided.

 - `include/net/ipv6.h`:
   - `struct ipv6_txoptions::opt_flen` is `__u16` (wrap possible).
 (lines 291-307, especially 298)
 - `net/ipv6/datagram.c:ip6_datagram_send_ctl()`:
   - Accepts repeated `IPV6_DSTOPTS` and accumulates into `opt_flen`
 without rejecting duplicates. (lines 909-933)
 - `net/ipv6/ip6_output.c:__ip6_append_data()`:
   - Uses `opt->opt_flen + opt->opt_nflen` to compute header
 sizes/headroom decisions. (lines 1448-1466, especially 1463-1465)
 - `net/ipv6/ip6_output.c:__ip6_make_skb()`:
   - Calls `ipv6_push_frag_opts()` if `opt->opt_flen` is non-zero.
 (lines 1930-1934)
 - `net/ipv6/exthdrs.c:ipv6_push_frag_opts()` / `ipv6_push_exthdr()`:
   - Push size comes from `ipv6_optlen(opt->dst1opt)` (based on the
 pointed-to header). (lines 1179-1185 and 1206-1211)

 1. `opt_flen` is a 16-bit accumulator:

 - `include/net/ipv6.h:298` defines `__u16 opt_flen; /* after fragment hdr */`.

 2. `ip6_datagram_send_ctl()` accepts *repeated* `IPV6_DSTOPTS` cmsgs
 and increments `opt_flen` each time:

 - In `net/ipv6/datagram.c:909-933`, for `IPV6_DSTOPTS`:
   - It computes `len = ((hdr->hdrlen + 1) << 3);`
   - It checks `CAP_NET_RAW` using `ns_capable(net->user_ns,
 CAP_NET_RAW)`. (line 922)
   - Then it does:
     - `opt->opt_flen += len;` (line 927)
     - `opt->dst1opt = hdr;` (line 928)

 There is no duplicate rejection here (unlike the legacy
 `IPV6_2292DSTOPTS` path which rejects duplicates at
 `net/ipv6/datagram.c:901-904`).

 If enough large `IPV6_DSTOPTS` cmsgs are provided, `opt_flen` wraps
 while `dst1opt` still points to a large (2048-byte)
 destination-options header.

 In the attached PoC (`poc.c`):

 - 32 cmsgs with `hdrlen=255` => `len = (255+1)*8 = 2048`
 - 1 cmsg with `hdrlen=0` => `len = 8`
 - Total increment: `32*2048 + 8 = 65544`, so `(__u16)opt_flen == 8`
 - The last cmsg is 2048 bytes, so `dst1opt` points to a 2048-byte header.

 3. The transmit path sizes headers using the wrapped `opt_flen`:

- In `net/ipv6/ip6_output.c:1463-1465`:
  - `headersize = sizeof(struct ipv6hdr) + (opt ? opt->opt_flen +
 opt->opt_nflen : 0) + ...;`

 With wrapped `opt_flen`, `headersize`/headroom decisions underestimate
 what will be pushed later.

 4. When building the final skb, the actual push length comes from
 `dst1opt` and is not limited by wrapped `opt_flen`:

 - In `net/ipv6/ip6_output.c:1930-1934`:
   - `if (opt->opt_flen) proto = ipv6_push_frag_opts(skb, opt, proto);`
 - In `net/ipv6/exthdrs.c:1206-1211`, `ipv6_push_frag_opts()` pushes
 `dst1opt` via `ipv6_push_exthdr()`.
 - In `net/ipv6/exthdrs.c:1179-1184`, `ipv6_push_exthdr()` does:
   - `skb_push(skb, ipv6_optlen(opt));`
   - `memcpy(h, opt, ipv6_optlen(opt));`

 With insufficient headroom, `skb_push()` underflows and triggers
 `skb_under_panic()` -> `BUG()`:

 - `net/core/skbuff.c:2669-2675` (`skb_push()` calls `skb_under_panic()`)
 - `net/core/skbuff.c:207-214` (`skb_panic()` ends in `BUG()`)

 - The `IPV6_DSTOPTS` cmsg path requires `CAP_NET_RAW` in the target
 netns user namespace (`ns_capable(net->user_ns, CAP_NET_RAW)`).
 - Root (or any task with `CAP_NET_RAW`) can trigger this without user
 namespaces.
 - An unprivileged `uid=1000` user can trigger this if unprivileged
 user namespaces are enabled and it can create a userns+netns to obtain
 namespaced `CAP_NET_RAW` (the attached PoC does this).

 - Local denial of service: kernel BUG/panic (system crash).
 -
---truncated---

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	UNKNOWN				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Debian Releases

Debian Product

Codename

linux

bookworm	vulnerable
bookworm (security)	vulnerable
bullseye	vulnerable
bullseye (security)	vulnerable
forky	vulnerable
sid	vulnerable
trixie	vulnerable
trixie (security)	vulnerable

Ubuntu Releases

Ubuntu Product

Codename

linux

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	needs-triage
questing	needs-triage
trusty	needs-triage
xenial	needs-triage

linux-hwe

bionic	ignored
jammy	dne
noble	dne
questing	dne
xenial	needs-triage

linux-hwe-5.4

bionic	needs-triage
jammy	dne
noble	dne
questing	dne

linux-aws-5.8

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-hwe-5.8

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-hwe-5.11

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-hwe-5.13

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-hwe-5.15

focal	needs-triage
jammy	dne
noble	dne
questing	dne

linux-hwe-5.19

jammy	ignored
noble	dne
questing	dne

linux-hwe-6.2

jammy	ignored
noble	dne
questing	dne

linux-hwe-6.5

jammy	ignored
noble	dne
questing	dne

linux-hwe-6.8

jammy	needs-triage
noble	dne
questing	dne

linux-hwe-6.11

jammy	dne
noble	ignored
questing	dne

linux-hwe-6.14

jammy	dne
noble	needs-triage
questing	dne

linux-hwe-6.17

jammy	dne
noble	needs-triage
questing	dne

linux-hwe-edge

bionic	ignored
jammy	dne
noble	dne
questing	dne
xenial	ignored

linux-lts-xenial

jammy	dne
noble	dne
questing	dne
trusty	needs-triage

linux-kvm

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	dne
questing	dne
xenial	needs-triage

linux-allwinner-5.19

jammy	ignored
noble	dne
questing	dne

linux-aws

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	needs-triage
questing	needs-triage
trusty	needs-triage
xenial	needs-triage

linux-aws-5.0

bionic	ignored
jammy	dne
noble	dne
questing	dne

linux-aws-5.3

bionic	ignored
jammy	dne
noble	dne
questing	dne

linux-aws-5.4

bionic	needs-triage
jammy	dne
noble	dne
questing	dne

linux-aws-5.11

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-aws-5.13

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-aws-5.15

focal	needs-triage
jammy	dne
noble	dne
questing	dne

linux-aws-5.19

jammy	ignored
noble	dne
questing	dne

linux-aws-6.2

jammy	ignored
noble	dne
questing	dne

linux-aws-6.5

jammy	ignored
noble	dne
questing	dne

linux-aws-6.8

jammy	needs-triage
noble	dne
questing	dne

linux-aws-6.14

jammy	dne
noble	needs-triage
questing	dne

linux-aws-6.17

jammy	dne
noble	needs-triage
questing	dne

linux-aws-hwe

jammy	dne
noble	dne
questing	dne
xenial	needs-triage

linux-azure

bionic	ignored
focal	needs-triage
jammy	needs-triage
noble	needs-triage
questing	needs-triage
trusty	needs-triage
xenial	needs-triage

linux-azure-4.15

bionic	needs-triage
jammy	dne
noble	dne
questing	dne

linux-azure-5.3

bionic	ignored
jammy	dne
noble	dne
questing	dne

linux-azure-5.4

bionic	needs-triage
jammy	dne
noble	dne
questing	dne

linux-azure-5.8

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-azure-5.11

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-azure-5.13

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-azure-5.15

focal	needs-triage
jammy	dne
noble	dne
questing	dne

linux-azure-5.19

jammy	ignored
noble	dne
questing	dne

linux-azure-6.2

jammy	ignored
noble	dne
questing	dne

linux-azure-6.5

jammy	ignored
noble	dne
questing	dne

linux-azure-6.8

jammy	needs-triage
noble	dne
questing	dne

linux-azure-6.11

jammy	dne
noble	ignored
questing	dne

linux-azure-6.14

jammy	dne
noble	needs-triage
questing	dne

linux-azure-6.17

jammy	dne
noble	needs-triage
questing	dne

linux-azure-fde

focal	ignored
jammy	needs-triage
noble	needs-triage
questing	needs-triage

linux-azure-fde-5.15

focal	needs-triage
jammy	dne
noble	dne
questing	dne

linux-azure-fde-5.19

jammy	ignored
noble	dne
questing	dne

linux-azure-fde-6.2

jammy	ignored
noble	dne
questing	dne

linux-azure-fde-6.8

jammy	needs-triage
noble	dne
questing	dne

linux-azure-fde-6.14

jammy	dne
noble	needs-triage
questing	dne

linux-azure-fde-6.17

jammy	dne
noble	needs-triage
questing	dne

linux-azure-nvidia

jammy	dne
noble	needs-triage
questing	dne

linux-azure-nvidia-6.14

jammy	dne
noble	needs-triage
questing	dne

linux-bluefield

focal	needs-triage
jammy	dne
noble	dne
questing	dne

linux-azure-edge

bionic	ignored
jammy	dne
noble	dne
questing	dne

linux-fips

bionic	needs-triage
focal	needs-triage
jammy	dne
noble	dne
questing	dne
xenial	needs-triage

linux-aws-fips

bionic	needs-triage
focal	needs-triage
jammy	dne
noble	dne
questing	dne

linux-azure-fips

bionic	needs-triage
focal	needs-triage
jammy	dne
noble	dne
questing	dne

linux-gcp-fips

bionic	needs-triage
focal	needs-triage
jammy	dne
noble	dne
questing	dne

linux-gcp

bionic	ignored
focal	needs-triage
jammy	needs-triage
noble	needs-triage
questing	needs-triage
xenial	needs-triage

linux-gcp-4.15

bionic	needs-triage
jammy	dne
noble	dne
questing	dne

linux-gcp-5.3

bionic	ignored
jammy	dne
noble	dne
questing	dne

linux-gcp-5.4

bionic	needs-triage
jammy	dne
noble	dne
questing	dne

linux-gcp-5.8

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-gcp-5.11

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-gcp-5.13

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-gcp-5.15

focal	needs-triage
jammy	dne
noble	dne
questing	dne

linux-gcp-5.19

jammy	ignored
noble	dne
questing	dne

linux-gcp-6.2

jammy	ignored
noble	dne
questing	dne

linux-gcp-6.5

jammy	ignored
noble	dne
questing	dne

linux-gcp-6.8

jammy	needs-triage
noble	dne
questing	dne

linux-gcp-6.11

jammy	dne
noble	ignored
questing	dne

linux-gcp-6.14

jammy	dne
noble	needs-triage
questing	dne

linux-gcp-6.17

jammy	dne
noble	needs-triage
questing	dne

linux-gke

focal	ignored
jammy	needs-triage
noble	needs-triage
questing	dne

linux-gke-4.15

bionic	ignored
jammy	dne
noble	dne
questing	dne

linux-gke-5.4

bionic	ignored
jammy	dne
noble	dne
questing	dne

linux-gke-5.15

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-gkeop

focal	ignored
jammy	needs-triage
noble	needs-triage
questing	dne

linux-gkeop-5.4

bionic	ignored
jammy	dne
noble	dne
questing	dne

linux-gkeop-5.15

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-ibm

focal	needs-triage
jammy	needs-triage
noble	needs-triage
questing	dne

linux-ibm-5.4

bionic	needs-triage
jammy	dne
noble	dne
questing	dne

linux-ibm-5.15

focal	needs-triage
jammy	dne
noble	dne
questing	dne

linux-ibm-6.8

jammy	needs-triage
noble	dne
questing	dne

linux-intel-5.13

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-intel-iotg

jammy	needs-triage
noble	dne
questing	dne

linux-intel-iotg-5.15

focal	needs-triage
jammy	dne
noble	dne
questing	dne

linux-iot

focal	needs-triage
jammy	dne
noble	dne
questing	dne

linux-intel-iot-realtime

jammy	ignored
noble	dne
questing	dne

linux-lowlatency

jammy	needs-triage
noble	needs-triage
questing	dne

linux-lowlatency-hwe-5.15

focal	needs-triage
jammy	dne
noble	dne
questing	dne

linux-lowlatency-hwe-5.19

jammy	ignored
noble	dne
questing	dne

linux-lowlatency-hwe-6.2

jammy	ignored
noble	dne
questing	dne

linux-lowlatency-hwe-6.5

jammy	ignored
noble	dne
questing	dne

linux-lowlatency-hwe-6.8

jammy	needs-triage
noble	dne
questing	dne

linux-lowlatency-hwe-6.11

jammy	dne
noble	ignored
questing	dne

linux-nvidia

jammy	needs-triage
noble	needs-triage
questing	dne

linux-nvidia-6.2

jammy	ignored
noble	dne
questing	dne

linux-nvidia-6.5

jammy	ignored
noble	dne
questing	dne

linux-nvidia-6.8

jammy	needs-triage
noble	dne
questing	dne

linux-nvidia-6.11

jammy	dne
noble	ignored
questing	dne

linux-nvidia-lowlatency

jammy	dne
noble	needs-triage
questing	dne

linux-nvidia-tegra

jammy	needs-triage
noble	needs-triage
questing	dne

linux-nvidia-tegra-5.15

focal	needs-triage
jammy	dne
noble	dne
questing	dne

linux-nvidia-tegra-igx

jammy	needs-triage
noble	dne
questing	dne

linux-oracle

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	needs-triage
questing	needs-triage
xenial	needs-triage

linux-oracle-5.0

bionic	ignored
jammy	dne
noble	dne
questing	dne

linux-oracle-5.3

bionic	ignored
jammy	dne
noble	dne
questing	dne

linux-oracle-5.4

bionic	needs-triage
jammy	dne
noble	dne
questing	dne

linux-oracle-5.8

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-oracle-5.11

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-oracle-5.13

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-oracle-5.15

focal	needs-triage
jammy	dne
noble	dne
questing	dne

linux-oracle-6.5

jammy	ignored
noble	dne
questing	dne

linux-oracle-6.8

jammy	needs-triage
noble	dne
questing	dne

linux-oracle-6.14

jammy	dne
noble	needs-triage
questing	dne

linux-oracle-6.17

jammy	dne
noble	needs-triage
questing	dne

linux-oem

bionic	ignored
jammy	dne
noble	dne
questing	dne

linux-oem-5.6

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-oem-5.10

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-oem-5.13

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-oem-5.14

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-oem-5.17

jammy	ignored
noble	dne
questing	dne

linux-oem-6.0

jammy	ignored
noble	dne
questing	dne

linux-oem-6.1

jammy	ignored
noble	dne
questing	dne

linux-oem-6.5

jammy	ignored
noble	dne
questing	dne

linux-oem-6.8

jammy	dne
noble	ignored
questing	dne

linux-oem-6.11

jammy	dne
noble	ignored
questing	dne

linux-oem-6.14

jammy	dne
noble	needs-triage
questing	dne

linux-oem-6.17

jammy	dne
noble	needs-triage
questing	dne

linux-raspi

focal	needs-triage
jammy	needs-triage
noble	needs-triage
questing	needs-triage

linux-raspi2

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-raspi-5.4

bionic	needs-triage
jammy	dne
noble	dne
questing	dne

linux-raspi-realtime

jammy	dne
noble	ignored
questing	dne

linux-realtime

jammy	ignored
noble	ignored
questing	needs-triage

linux-realtime-6.8

jammy	dne
noble	dne
questing	dne

linux-realtime-6.14

jammy	dne
noble	dne
questing	dne

linux-riscv

focal	ignored
jammy	ignored
noble	ignored
questing	needs-triage

linux-riscv-5.8

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-riscv-5.11

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-riscv-5.15

focal	needs-triage
jammy	dne
noble	dne
questing	dne

linux-riscv-5.19

jammy	ignored
noble	dne
questing	dne

linux-riscv-6.5

jammy	ignored
noble	dne
questing	dne

linux-riscv-6.8

jammy	needs-triage
noble	dne
questing	dne

linux-riscv-6.14

jammy	dne
noble	ignored
questing	dne

linux-riscv-6.17

jammy	dne
noble	needs-triage
questing	dne

linux-starfive-5.19

jammy	ignored
noble	dne
questing	dne

linux-starfive-6.2

jammy	ignored
noble	dne
questing	dne

linux-starfive-6.5

jammy	ignored
noble	dne
questing	dne

linux-xilinx

jammy	dne
noble	needs-triage
questing	dne

linux-xilinx-zynqmp

focal	needs-triage
jammy	needs-triage
noble	dne
questing	dne

linux-realtime-6.17

jammy	dne
noble	dne
questing	dne

References

https://git.kernel.org/stable/c/0bdaf54d3aaddfe8df29371260fa8d4939b4fd6f

https://git.kernel.org/stable/c/4e453375561fc60820e6b9d8ebeb6b3ee177d42e

https://git.kernel.org/stable/c/5e4ee5dbea134e9257f205e31a96040bed71e83f

https://git.kernel.org/stable/c/63fda74885555e6bd1623b5d811feec998740ba4

https://git.kernel.org/stable/c/872b74900d5daa37067ac676d9001bb929fc6a2a

https://git.kernel.org/stable/c/9ed81d692758dfb9471d7799b24bfa7a08224c31