CVE-2026-43186

EUVD-2026-27747

06.05.2026, 12:16

In the Linux kernel, the following vulnerability has been resolved:

ipv6: ioam: fix heap buffer overflow in __ioam6_fill_trace_data()

On the receive path, __ioam6_fill_trace_data() uses trace->nodelen
to decide how much data to write for each node. It trusts this field
as-is from the incoming packet, with no consistency check against
trace->type (the 24-bit field that tells which data items are
present). A crafted packet can set nodelen=0 while setting type bits
0-21, causing the function to write ~100 bytes past the allocated
region (into skb_shared_info), which corrupts adjacent heap memory
and leads to a kernel panic.

Add a shared helper ioam6_trace_compute_nodelen() in ioam6.c to
derive the expected nodelen from the type field, and use it:

  - in ioam6_iptunnel.c (send path, existing validation) to replace
    the open-coded computation;
  - in exthdrs.c (receive path, ipv6_hop_ioam) to drop packets whose
    nodelen is inconsistent with the type field, before any data is
    written.

Per RFC 9197, bits 12-21 are each short (4-octet) fields, so they
are included in IOAM6_MASK_SHORT_FIELDS (changed from 0xff100000 to
0xff1ffc00).

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 45%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	5.15 ≤ 𝑥 < 5.15.202
linux	linux_kernel	5.16 ≤ 𝑥 < 6.1.165
linux	linux_kernel	6.2 ≤ 𝑥 < 6.6.128
linux	linux_kernel	6.7 ≤ 𝑥 < 6.12.75
linux	linux_kernel	6.13 ≤ 𝑥 < 6.18.16
linux	linux_kernel	6.19 ≤ 𝑥 < 6.19.6

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.170-3 fixed
bookworm (security)	6.1.174-1 fixed
bullseye	5.10.223-1 fixed
bullseye (security)	5.10.257-1 fixed
forky	7.0.12-2 fixed
sid	7.0.13-1 fixed
trixie	6.12.86-1 fixed
trixie (security)	6.12.94-1 fixed

Amazon Linux Releases

Amazon Package

Release

bpftool

Amazon Linux 2023

1:6.1.166-197.305.amzn2023

fixed

bpftool-debuginfo

Amazon Linux 2023

1:6.1.166-197.305.amzn2023

fixed

bpftool6.12

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

bpftool6.12-debuginfo

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

bpftool6.18

Amazon Linux 2023

1:6.18.16-18.222.amzn2023

fixed

bpftool6.18-debuginfo

Amazon Linux 2023

1:6.18.16-18.222.amzn2023

fixed

kernel

Amazon Linux 2023

1:6.1.166-197.305.amzn2023

fixed

kernel-debuginfo

Amazon Linux 2023

1:6.1.166-197.305.amzn2023

fixed

kernel-debuginfo-common-aarch64

Amazon Linux 2023

1:6.1.166-197.305.amzn2023

fixed

kernel-debuginfo-common-x86_64

Amazon Linux 2023

1:6.1.166-197.305.amzn2023

fixed

kernel-devel

Amazon Linux 2023

1:6.1.166-197.305.amzn2023

fixed

kernel-headers

Amazon Linux 2023

1:6.1.166-197.305.amzn2023

fixed

kernel-libbpf

Amazon Linux 2023

1:6.1.166-197.305.amzn2023

fixed

kernel-libbpf-debuginfo

Amazon Linux 2023

1:6.1.166-197.305.amzn2023

fixed

kernel-libbpf-devel

Amazon Linux 2023

1:6.1.166-197.305.amzn2023

fixed

kernel-libbpf-static

Amazon Linux 2023

1:6.1.166-197.305.amzn2023

fixed

kernel-livepatch-6.1.166-197.305

Amazon Linux 2023

1:1.0-0.amzn2023

fixed

kernel-livepatch-6.12.77-99.140

Amazon Linux 2023

1:1.0-0.amzn2023

fixed

kernel-livepatch-6.18.16-18.222

Amazon Linux 2023

1:1.0-0.amzn2023

fixed

kernel-modules-extra

Amazon Linux 2023

1:6.1.166-197.305.amzn2023

fixed

kernel-modules-extra-common

Amazon Linux 2023

1:6.1.166-197.305.amzn2023

fixed

kernel-tools

Amazon Linux 2023

1:6.1.166-197.305.amzn2023

fixed

kernel-tools-debuginfo

Amazon Linux 2023

1:6.1.166-197.305.amzn2023

fixed

kernel-tools-devel

Amazon Linux 2023

1:6.1.166-197.305.amzn2023

fixed

kernel6.12

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

kernel6.12-debuginfo

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

kernel6.12-debuginfo-common-aarch64

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

kernel6.12-debuginfo-common-x86_64

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

kernel6.12-devel

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

kernel6.12-headers

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

kernel6.12-libbpf

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

kernel6.12-libbpf-debuginfo

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

kernel6.12-libbpf-devel

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

kernel6.12-libbpf-static

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

kernel6.12-modules-extra

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

kernel6.12-modules-extra-common

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

kernel6.12-tools

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

kernel6.12-tools-debuginfo

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

kernel6.12-tools-devel

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

kernel6.18

Amazon Linux 2023

1:6.18.16-18.222.amzn2023

fixed

kernel6.18-debuginfo

Amazon Linux 2023

1:6.18.16-18.222.amzn2023

fixed

kernel6.18-debuginfo-common-aarch64

Amazon Linux 2023

1:6.18.16-18.222.amzn2023

fixed

kernel6.18-debuginfo-common-x86_64

Amazon Linux 2023

1:6.18.16-18.222.amzn2023

fixed

kernel6.18-devel

Amazon Linux 2023

1:6.18.16-18.222.amzn2023

fixed

kernel6.18-headers

Amazon Linux 2023

1:6.18.16-18.222.amzn2023

fixed

kernel6.18-libbpf

Amazon Linux 2023

1:6.18.16-18.222.amzn2023

fixed

kernel6.18-libbpf-debuginfo

Amazon Linux 2023

1:6.18.16-18.222.amzn2023

fixed

kernel6.18-libbpf-devel

Amazon Linux 2023

1:6.18.16-18.222.amzn2023

fixed

kernel6.18-libbpf-static

Amazon Linux 2023

1:6.18.16-18.222.amzn2023

fixed

kernel6.18-modules-extra

Amazon Linux 2023

1:6.18.16-18.222.amzn2023

fixed

kernel6.18-modules-extra-common

Amazon Linux 2023

1:6.18.16-18.222.amzn2023

fixed

kernel6.18-tools

Amazon Linux 2023

1:6.18.16-18.222.amzn2023

fixed

kernel6.18-tools-debuginfo

Amazon Linux 2023

1:6.18.16-18.222.amzn2023

fixed

kernel6.18-tools-devel

Amazon Linux 2023

1:6.18.16-18.222.amzn2023

fixed

perf

Amazon Linux 2023

1:6.1.166-197.305.amzn2023

fixed

perf-debuginfo

Amazon Linux 2023

1:6.1.166-197.305.amzn2023

fixed

perf6.12

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

perf6.12-debuginfo

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

perf6.18

Amazon Linux 2023

1:6.18.16-18.222.amzn2023

fixed

perf6.18-debuginfo

Amazon Linux 2023

1:6.18.16-18.222.amzn2023

fixed

python3-perf

Amazon Linux 2023

1:6.1.166-197.305.amzn2023

fixed

python3-perf-debuginfo

Amazon Linux 2023

1:6.1.166-197.305.amzn2023

fixed

python3-perf6.12

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

python3-perf6.12-debuginfo

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

python3-perf6.18

Amazon Linux 2023

1:6.18.16-18.222.amzn2023

fixed

python3-perf6.18-debuginfo

Amazon Linux 2023

1:6.18.16-18.222.amzn2023

fixed

Common Weakness Enumeration

CWE-787 - Out-of-bounds Write
The software writes data past the end, or before the beginning, of the intended buffer.

Vulnerability Media Exposure

[GERMAN] Linux Kernel: Mehrere Schwachstellen
Ein Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um nicht spezifizierte Angriffe durchzuführen, möglicherweise Sicherheitsmaßnahmen zu umgehen, Daten zu manipulieren oder offenzulegen oder einen Denial-of-Service-Zustand zu verursachen.
Published: 2026-05-06T22:00:00+00:00

References

https://git.kernel.org/stable/c/0591d6509c2ff13f09ea2998434aba0c0472e978

https://git.kernel.org/stable/c/632d233cf2e64a46865ae2c064ae3c9df7c8864f

https://git.kernel.org/stable/c/6db8b56eed62baacaf37486e83378a72635c04cc

https://git.kernel.org/stable/c/e90346a2f1e8917d5760a44a1f61c44e3b36d96b

https://git.kernel.org/stable/c/ea3632aefc04205436868541638e26f4a74d5637

https://git.kernel.org/stable/c/f4d9d4b8fd839719d564651671e24c62c545c23b

https://git.kernel.org/stable/c/fb3c662fafebc5b9d74417ed1de8759f6bb72143