CVE-2026-43038

EUVD-2026-26637
In the Linux kernel, the following vulnerability has been resolved:

ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach()

Sashiko AI-review observed:

  In ip6_err_gen_icmpv6_unreach(), the skb is an outer IPv4 ICMP error packet
  where its cb contains an IPv4 inet_skb_parm. When skb is cloned into skb2
  and passed to icmp6_send(), it uses IP6CB(skb2).

  IP6CB interprets the IPv4 inet_skb_parm as an inet6_skb_parm. The cipso
  offset in inet_skb_parm.opt directly overlaps with dsthao in inet6_skb_parm
  at offset 18.

  If an attacker sends a forged ICMPv4 error with a CIPSO IP option, dsthao
  would be a non-zero offset. Inside icmp6_send(), mip6_addr_swap() is called
  and uses ipv6_find_tlv(skb, opt->dsthao, IPV6_TLV_HAO).

  This would scan the inner, attacker-controlled IPv6 packet starting at that
  offset, potentially returning a fake TLV without checking if the remaining
  packet length can hold the full 18-byte struct ipv6_destopt_hao.

  Could mip6_addr_swap() then perform a 16-byte swap that extends past the end
  of the packet data into skb_shared_info?

  Should the cb array also be cleared in ip6_err_gen_icmpv6_unreach() and
  ip6ip6_err() to prevent this?

This patch implements the first suggestion.

I am not sure if ip6ip6_err() needs to be changed.
A separate patch would be better anyway.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 33%
Affected Products (NVD)
VendorProductVersion
linuxlinux_kernel
3.13 <
𝑥
< 5.10.253
linuxlinux_kernel
5.11 ≤
𝑥
< 5.15.203
linuxlinux_kernel
5.16 ≤
𝑥
< 6.1.168
linuxlinux_kernel
6.2 ≤
𝑥
< 6.6.134
linuxlinux_kernel
6.7 ≤
𝑥
< 6.12.81
linuxlinux_kernel
6.13 ≤
𝑥
< 6.18.22
linuxlinux_kernel
6.19 ≤
𝑥
< 6.19.12
linuxlinux_kernel
3.13
linuxlinux_kernel
3.13:rc3
linuxlinux_kernel
3.13:rc4
linuxlinux_kernel
3.13:rc5
linuxlinux_kernel
3.13:rc6
linuxlinux_kernel
3.13:rc7
linuxlinux_kernel
3.13:rc8
linuxlinux_kernel
7.0:rc1
linuxlinux_kernel
7.0:rc2
linuxlinux_kernel
7.0:rc3
linuxlinux_kernel
7.0:rc4
linuxlinux_kernel
7.0:rc5
linuxlinux_kernel
7.0:rc6
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
linux
bookworm
6.1.170-3
fixed
bookworm (security)
6.1.174-1
fixed
bullseye
vulnerable
bullseye (security)
5.10.257-1
fixed
forky
7.0.10-1
fixed
sid
7.0.12-2
fixed
trixie
6.12.86-1
fixed
trixie (security)
6.12.90-2
fixed
linux-6.1
bullseye (security)
6.1.174-1~deb11u1
fixed
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
cluster-md-kmp-default
suse enterprise server 15 SP6
6.4.0-150600.23.112.1
fixed
dlm-kmp-default
suse enterprise server 15 SP6
6.4.0-150600.23.112.1
fixed
gfs2-kmp-default
suse enterprise server 15 SP6
6.4.0-150600.23.112.1
fixed
kernel-64kb
suse enterprise desktop 15 SP7
6.4.0-150700.53.55.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.55.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.112.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.55.1
fixed
kernel-default
suse enterprise desktop 15 SP7
6.4.0-150700.53.55.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.55.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.112.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.55.1
fixed
kernel-default-base
suse enterprise desktop 15 SP7
6.4.0-150700.53.55.1.150700.17.33.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.55.1.150700.17.33.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.112.1.150600.12.52.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.55.1.150700.17.33.1
fixed
kernel-macros
suse enterprise desktop 15 SP7
6.4.0-150700.53.55.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.55.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.112.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.55.1
fixed
kernel-obs-build
suse enterprise desktop 15 SP7
6.4.0-150700.53.55.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.55.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.112.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.55.1
fixed
kernel-source
suse enterprise desktop 15 SP7
6.4.0-150700.53.55.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.55.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.112.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.55.1
fixed
kernel-syms
suse enterprise desktop 15 SP7
6.4.0-150700.53.55.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.55.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.112.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.55.1
fixed
kernel-zfcpdump
suse enterprise desktop 15 SP7
6.4.0-150700.53.55.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.55.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.112.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.55.1
fixed
ocfs2-kmp-default
suse enterprise server 15 SP6
6.4.0-150600.23.112.1
fixed
reiserfs-kmp-default
suse enterprise server 15 SP6
6.4.0-150600.23.112.1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
bpftool
RHEL 8
0:4.18.0-553.132.1.el8_10
fixed
RHEL 8.6 AUS
0:4.18.0-372.195.1.el8_6
fixed
RHEL 8.8 E4S
0:4.18.0-477.145.1.el8_8
fixed
RHEL 8.8 TUS
0:4.18.0-477.145.1.el8_8
fixed
kernel
RHEL 8
0:4.18.0-553.132.1.el8_10
fixed
RHEL 8.6 AUS
0:4.18.0-372.195.1.el8_6
fixed
RHEL 8.8 E4S
0:4.18.0-477.145.1.el8_8
fixed
RHEL 8.8 TUS
0:4.18.0-477.145.1.el8_8
fixed
kernel-abi-stablelists
RHEL 8
0:4.18.0-553.132.1.el8_10
fixed
RHEL 8.6 AUS
0:4.18.0-372.195.1.el8_6
fixed
RHEL 8.8 E4S
0:4.18.0-477.145.1.el8_8
fixed
RHEL 8.8 TUS
0:4.18.0-477.145.1.el8_8
fixed
kernel-core
RHEL 8
0:4.18.0-553.132.1.el8_10
fixed
RHEL 8.6 AUS
0:4.18.0-372.195.1.el8_6
fixed
RHEL 8.8 E4S
0:4.18.0-477.145.1.el8_8
fixed
RHEL 8.8 TUS
0:4.18.0-477.145.1.el8_8
fixed
kernel-debug
RHEL 8
0:4.18.0-553.132.1.el8_10
fixed
RHEL 8.6 AUS
0:4.18.0-372.195.1.el8_6
fixed
RHEL 8.8 E4S
0:4.18.0-477.145.1.el8_8
fixed
RHEL 8.8 TUS
0:4.18.0-477.145.1.el8_8
fixed
kernel-debug-core
RHEL 8
0:4.18.0-553.132.1.el8_10
fixed
RHEL 8.6 AUS
0:4.18.0-372.195.1.el8_6
fixed
RHEL 8.8 E4S
0:4.18.0-477.145.1.el8_8
fixed
RHEL 8.8 TUS
0:4.18.0-477.145.1.el8_8
fixed
kernel-debug-devel
RHEL 8
0:4.18.0-553.132.1.el8_10
fixed
RHEL 8.6 AUS
0:4.18.0-372.195.1.el8_6
fixed
RHEL 8.8 E4S
0:4.18.0-477.145.1.el8_8
fixed
RHEL 8.8 TUS
0:4.18.0-477.145.1.el8_8
fixed
kernel-debug-modules
RHEL 8
0:4.18.0-553.132.1.el8_10
fixed
RHEL 8.6 AUS
0:4.18.0-372.195.1.el8_6
fixed
RHEL 8.8 E4S
0:4.18.0-477.145.1.el8_8
fixed
RHEL 8.8 TUS
0:4.18.0-477.145.1.el8_8
fixed
kernel-debug-modules-extra
RHEL 8
0:4.18.0-553.132.1.el8_10
fixed
RHEL 8.6 AUS
0:4.18.0-372.195.1.el8_6
fixed
RHEL 8.8 E4S
0:4.18.0-477.145.1.el8_8
fixed
RHEL 8.8 TUS
0:4.18.0-477.145.1.el8_8
fixed
kernel-devel
RHEL 8
0:4.18.0-553.132.1.el8_10
fixed
RHEL 8.6 AUS
0:4.18.0-372.195.1.el8_6
fixed
RHEL 8.8 E4S
0:4.18.0-477.145.1.el8_8
fixed
RHEL 8.8 TUS
0:4.18.0-477.145.1.el8_8
fixed
kernel-doc
RHEL 8
0:4.18.0-553.132.1.el8_10
fixed
RHEL 8.6 AUS
0:4.18.0-372.195.1.el8_6
fixed
RHEL 8.8 E4S
0:4.18.0-477.145.1.el8_8
fixed
RHEL 8.8 TUS
0:4.18.0-477.145.1.el8_8
fixed
kernel-modules
RHEL 8
0:4.18.0-553.132.1.el8_10
fixed
RHEL 8.6 AUS
0:4.18.0-372.195.1.el8_6
fixed
RHEL 8.8 E4S
0:4.18.0-477.145.1.el8_8
fixed
RHEL 8.8 TUS
0:4.18.0-477.145.1.el8_8
fixed
kernel-modules-extra
RHEL 8
0:4.18.0-553.132.1.el8_10
fixed
RHEL 8.6 AUS
0:4.18.0-372.195.1.el8_6
fixed
RHEL 8.8 E4S
0:4.18.0-477.145.1.el8_8
fixed
RHEL 8.8 TUS
0:4.18.0-477.145.1.el8_8
fixed
kernel-rt
RHEL 8
0:4.18.0-553.132.1.rt7.473.el8_10
fixed
kernel-rt-core
RHEL 8
0:4.18.0-553.132.1.rt7.473.el8_10
fixed
kernel-rt-debug
RHEL 8
0:4.18.0-553.132.1.rt7.473.el8_10
fixed
kernel-rt-debug-core
RHEL 8
0:4.18.0-553.132.1.rt7.473.el8_10
fixed
kernel-rt-debug-devel
RHEL 8
0:4.18.0-553.132.1.rt7.473.el8_10
fixed
kernel-rt-debug-kvm
RHEL 8
0:4.18.0-553.132.1.rt7.473.el8_10
fixed
kernel-rt-debug-modules
RHEL 8
0:4.18.0-553.132.1.rt7.473.el8_10
fixed
kernel-rt-debug-modules-extra
RHEL 8
0:4.18.0-553.132.1.rt7.473.el8_10
fixed
kernel-rt-devel
RHEL 8
0:4.18.0-553.132.1.rt7.473.el8_10
fixed
kernel-rt-kvm
RHEL 8
0:4.18.0-553.132.1.rt7.473.el8_10
fixed
kernel-rt-modules
RHEL 8
0:4.18.0-553.132.1.rt7.473.el8_10
fixed
kernel-rt-modules-extra
RHEL 8
0:4.18.0-553.132.1.rt7.473.el8_10
fixed
kernel-tools
RHEL 8
0:4.18.0-553.132.1.el8_10
fixed
RHEL 8.6 AUS
0:4.18.0-372.195.1.el8_6
fixed
RHEL 8.8 E4S
0:4.18.0-477.145.1.el8_8
fixed
RHEL 8.8 TUS
0:4.18.0-477.145.1.el8_8
fixed
kernel-tools-libs
RHEL 8
0:4.18.0-553.132.1.el8_10
fixed
RHEL 8.6 AUS
0:4.18.0-372.195.1.el8_6
fixed
RHEL 8.8 E4S
0:4.18.0-477.145.1.el8_8
fixed
RHEL 8.8 TUS
0:4.18.0-477.145.1.el8_8
fixed
kernel-tools-libs-devel
RHEL 8
0:4.18.0-553.132.1.el8_10
fixed
kernel-zfcpdump
RHEL 8
0:4.18.0-553.132.1.el8_10
fixed
kernel-zfcpdump-core
RHEL 8
0:4.18.0-553.132.1.el8_10
fixed
kernel-zfcpdump-devel
RHEL 8
0:4.18.0-553.132.1.el8_10
fixed
kernel-zfcpdump-modules
RHEL 8
0:4.18.0-553.132.1.el8_10
fixed
kernel-zfcpdump-modules-extra
RHEL 8
0:4.18.0-553.132.1.el8_10
fixed
perf
RHEL 8
0:4.18.0-553.132.1.el8_10
fixed
RHEL 8.6 AUS
0:4.18.0-372.195.1.el8_6
fixed
RHEL 8.8 E4S
0:4.18.0-477.145.1.el8_8
fixed
RHEL 8.8 TUS
0:4.18.0-477.145.1.el8_8
fixed
python3-perf
RHEL 8
0:4.18.0-553.132.1.el8_10
fixed
RHEL 8.6 AUS
0:4.18.0-372.195.1.el8_6
fixed
RHEL 8.8 E4S
0:4.18.0-477.145.1.el8_8
fixed
RHEL 8.8 TUS
0:4.18.0-477.145.1.el8_8
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
bpftool
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
bpftool-debuginfo
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
bpftool6.12
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
bpftool6.12-debuginfo
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
bpftool6.18
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
bpftool6.18-debuginfo
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
kernel
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
kernel-debuginfo
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
kernel-debuginfo-common-aarch64
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
kernel-debuginfo-common-x86_64
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
kernel-devel
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
kernel-headers
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
kernel-libbpf
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
kernel-libbpf-debuginfo
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
kernel-libbpf-devel
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
kernel-libbpf-static
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
kernel-livepatch-6.1.168-202.320
Amazon Linux 2023
1:1.0-0.amzn2023
fixed
kernel-livepatch-6.12.83-113.160
Amazon Linux 2023
1:1.0-0.amzn2023
fixed
kernel-livepatch-6.18.25-52.107
Amazon Linux 2023
1:1.0-0.amzn2023
fixed
kernel-modules-extra
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
kernel-modules-extra-common
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
kernel-tools
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
kernel-tools-debuginfo
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
kernel-tools-devel
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
kernel6.12
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
kernel6.12-debuginfo
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
kernel6.12-debuginfo-common-aarch64
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
kernel6.12-debuginfo-common-x86_64
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
kernel6.12-devel
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
kernel6.12-headers
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
kernel6.12-modules-extra
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
kernel6.12-modules-extra-common
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
kernel6.12-tools
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
kernel6.12-tools-debuginfo
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
kernel6.12-tools-devel
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
kernel6.18
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
kernel6.18-debuginfo
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
kernel6.18-debuginfo-common-aarch64
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
kernel6.18-debuginfo-common-x86_64
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
kernel6.18-devel
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
kernel6.18-headers
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
kernel6.18-modules-extra
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
kernel6.18-modules-extra-common
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
kernel6.18-tools
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
kernel6.18-tools-debuginfo
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
kernel6.18-tools-devel
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
perf
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
perf-debuginfo
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
perf6.12
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
perf6.12-debuginfo
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
perf6.18
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
perf6.18-debuginfo
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
python3-perf
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
python3-perf-debuginfo
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
python3-perf6.12
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
python3-perf6.12-debuginfo
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
python3-perf6.18
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
python3-perf6.18-debuginfo
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
Vulnerability Media Exposure
References
https://git.kernel.org/stable/c/0452b6526b2f54b2413b9cb4ff1ea2ac542c99c7
https://git.kernel.org/stable/c/1ceeebd5bd6d855b17a5df625109bfe29129d7cf
https://git.kernel.org/stable/c/3d5127d998de617b130aae96b138dba22ac6a8a7
https://git.kernel.org/stable/c/86ab3e55673a7a49a841838776f1ab18d23a67b5
https://git.kernel.org/stable/c/a2edbb6393972a02114b6003953a5cef3104fada
https://git.kernel.org/stable/c/a4437faf135da293d16fcc4cc607316742bd0ebb
https://git.kernel.org/stable/c/c438ba010171b70bad22fc18b1d5bdc3627476e8
https://git.kernel.org/stable/c/e41953e7d118e2702bcb217879c173d9d1d3cd4e