CVE-2026-43038
Awaiting Analysis Awaiting Analysis - Queue
Memory Corruption in Linux Kernel IPv6 ICMP Error Handling

Publication date: 2026-05-01

Last updated on: 2026-05-03

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach() Sashiko AI-review observed: In ip6_err_gen_icmpv6_unreach(), the skb is an outer IPv4 ICMP error packet where its cb contains an IPv4 inet_skb_parm. When skb is cloned into skb2 and passed to icmp6_send(), it uses IP6CB(skb2). IP6CB interprets the IPv4 inet_skb_parm as an inet6_skb_parm. The cipso offset in inet_skb_parm.opt directly overlaps with dsthao in inet6_skb_parm at offset 18. If an attacker sends a forged ICMPv4 error with a CIPSO IP option, dsthao would be a non-zero offset. Inside icmp6_send(), mip6_addr_swap() is called and uses ipv6_find_tlv(skb, opt->dsthao, IPV6_TLV_HAO). This would scan the inner, attacker-controlled IPv6 packet starting at that offset, potentially returning a fake TLV without checking if the remaining packet length can hold the full 18-byte struct ipv6_destopt_hao. Could mip6_addr_swap() then perform a 16-byte swap that extends past the end of the packet data into skb_shared_info? Should the cb array also be cleared in ip6_err_gen_icmpv6_unreach() and ip6ip6_err() to prevent this? This patch implements the first suggestion. I am not sure if ip6ip6_err() needs to be changed. A separate patch would be better anyway.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-03
Generated
2026-05-07
AI Q&A
2026-05-01
EPSS Evaluated
2026-05-05
NVD
CVE-2026-43038
EUVD
EUVD-2026-26637
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been resolved by a patch that clears the skb2->cb[] array in the ip6_err_gen_icmpv6_unreach() function in the Linux kernel.

Immediate mitigation steps would involve updating the Linux kernel to a version that includes this patch to prevent the vulnerability from being exploited.


Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's handling of IPv6 ICMP error packets. Specifically, in the function ip6_err_gen_icmpv6_unreach(), a cloned packet skb2 is passed to icmp6_send() where its control buffer (cb) is misinterpreted. The cb originally contains IPv4 parameters but is treated as IPv6 parameters, causing overlapping fields to be misread.

An attacker can send a forged ICMPv4 error packet with a CIPSO IP option, which sets a non-zero offset in the overlapping field. This leads to the function mip6_addr_swap() scanning attacker-controlled data without proper length checks, potentially causing it to read or write beyond the packet boundary into sensitive kernel memory.

The vulnerability arises because the skb2->cb[] array is not cleared before reuse, allowing this misinterpretation and unsafe memory operations. The patch fixes this by clearing the cb array in ip6_err_gen_icmpv6_unreach() to prevent such misuse.


How can this vulnerability impact me? :

This vulnerability can allow an attacker to cause memory corruption in the Linux kernel by sending specially crafted ICMPv4 error packets with CIPSO IP options. The memory corruption could lead to undefined behavior such as kernel crashes, denial of service, or potentially privilege escalation if exploited further.

Because the vulnerability involves reading and writing beyond intended memory boundaries, it could compromise system stability and security, impacting any system running a vulnerable Linux kernel.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart