CVE-2026-43037
Awaiting Analysis Awaiting Analysis - Queue
Memory Corruption in Linux Kernel via IPv6 Tunnel

Publication date: 2026-05-01

Last updated on: 2026-05-04

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: clear skb2->cb[] in ip4ip6_err() Oskar Kjos reported the following problem. ip4ip6_err() calls icmp_send() on a cloned skb whose cb[] was written by the IPv6 receive path as struct inet6_skb_parm. icmp_send() passes IPCB(skb2) to __ip_options_echo(), which interprets that cb[] region as struct inet_skb_parm (IPv4). The layouts differ: inet6_skb_parm.nhoff at offset 14 overlaps inet_skb_parm.opt.rr, producing a non-zero rr value. __ip_options_echo() then reads optlen from attacker-controlled packet data at sptr[rr+1] and copies that many bytes into dopt->__data, a fixed 40-byte stack buffer (IP_OPTIONS_DATA_FIXED_SIZE). To fix this we clear skb2->cb[], as suggested by Oskar Kjos. Also add minimal IPv4 header validation (version == 4, ihl >= 5).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-04
Generated
2026-06-16
AI Q&A
2026-05-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-43037
EUVD
EUVD-2026-26636
Affected Vendors & Products
Showing 13 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.22 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.168 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.12 (exc)
linux linux_kernel From 2.6.22 (inc) to 5.10.253 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.81 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.134 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's handling of IPv6 tunnels, specifically in the ip4ip6_err() function. The issue arises because ip4ip6_err() calls icmp_send() on a cloned socket buffer (skb) whose control buffer (cb[]) was previously written by the IPv6 receive path as a structure (inet6_skb_parm). However, icmp_send() treats this cb[] region as a different structure (inet_skb_parm) used for IPv4, which have different layouts.

Due to this mismatch, a field overlap causes a non-zero value to be read incorrectly, leading __ip_options_echo() to read an attacker-controlled length from the packet data and copy that many bytes into a fixed 40-byte stack buffer. This can cause a buffer overflow or memory corruption.

The fix involved clearing the skb2->cb[] buffer before use and adding minimal IPv4 header validation to prevent malformed packets from triggering this behavior.

Impact Analysis

This vulnerability can lead to memory corruption in the Linux kernel due to improper handling of packet data in IPv6 tunnels. An attacker could exploit this flaw by sending specially crafted packets that trigger a buffer overflow in the kernel stack.

Potential impacts include system instability, crashes (kernel panics), or possibly arbitrary code execution with kernel privileges, which could compromise the entire system's security.

Mitigation Strategies

The vulnerability is resolved by clearing the skb2->cb[] buffer in the ip4ip6_err() function and adding minimal IPv4 header validation (version == 4, ihl >= 5).

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43037. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart