CVE-2026-43083
Awaiting Analysis Awaiting Analysis - Queue
Out-of-Bounds Access in Linux Kernel ioam6

Publication date: 2026-05-06

Last updated on: 2026-06-01

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net: ioam6: fix OOB and missing lock When trace->type.bit6 is set: if (trace->type.bit6) { ... queue = skb_get_tx_queue(dev, skb); qdisc = rcu_dereference(queue->qdisc); This code can lead to an out-of-bounds access of the dev->_tx[] array when is_input is true. In such a case, the packet is on the RX path and skb->queue_mapping contains the RX queue index of the ingress device. If the ingress device has more RX queues than the egress device (dev) has TX queues, skb_get_queue_mapping(skb) will exceed dev->num_tx_queues. Add a check to avoid this situation since skb_get_tx_queue() does not clamp the index. This issue has also revealed that per queue visibility cannot be accurate and will be replaced later as a new feature. While at it, add missing lock around qdisc_qstats_qlen_backlog(). The function __ioam6_fill_trace_data() is called from both softirq and process contexts, hence the use of spin_lock_bh() here.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-06-01
Generated
2026-06-16
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-43083
EUVD
EUVD-2026-27576
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.19 (inc) to 6.19.14 (exc)
linux linux_kernel From 5.17 (inc) to 6.18.24 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's networking code related to ioam6 tracing. Specifically, when a certain bit (trace->type.bit6) is set, the code attempts to access a transmission queue (TX queue) based on the packet's queue mapping. However, if the packet is on the receive path (RX path) and the ingress device has more RX queues than the egress device has TX queues, the code can access an out-of-bounds index in the dev->_tx[] array. This happens because the function skb_get_tx_queue() does not limit the index to the number of TX queues available, leading to an out-of-bounds access.

Additionally, the vulnerability includes a missing lock around a function that updates queue statistics, which can cause concurrency issues since the function is called from different contexts (softirq and process). The fix involves adding a check to prevent out-of-bounds access and adding the missing lock to ensure thread safety.

Impact Analysis

This vulnerability can lead to out-of-bounds memory access in the Linux kernel networking code. Such out-of-bounds access can cause system instability, crashes, or potentially allow an attacker to execute arbitrary code or cause denial of service by corrupting kernel memory.

Furthermore, the missing lock around queue statistics updates can lead to race conditions, which may cause inaccurate statistics or further instability in the kernel's network stack.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43083. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart