CVE-2026-43186
Analyzed Analyzed - Analysis Complete
Heap Buffer Overflow in Linux Kernel IPv6 IOAM

Publication date: 2026-05-06

Last updated on: 2026-05-11

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ipv6: ioam: fix heap buffer overflow in __ioam6_fill_trace_data() On the receive path, __ioam6_fill_trace_data() uses trace->nodelen to decide how much data to write for each node. It trusts this field as-is from the incoming packet, with no consistency check against trace->type (the 24-bit field that tells which data items are present). A crafted packet can set nodelen=0 while setting type bits 0-21, causing the function to write ~100 bytes past the allocated region (into skb_shared_info), which corrupts adjacent heap memory and leads to a kernel panic. Add a shared helper ioam6_trace_compute_nodelen() in ioam6.c to derive the expected nodelen from the type field, and use it: - in ioam6_iptunnel.c (send path, existing validation) to replace the open-coded computation; - in exthdrs.c (receive path, ipv6_hop_ioam) to drop packets whose nodelen is inconsistent with the type field, before any data is written. Per RFC 9197, bits 12-21 are each short (4-octet) fields, so they are included in IOAM6_MASK_SHORT_FIELDS (changed from 0xff100000 to 0xff1ffc00).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-11
Generated
2026-06-16
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-43186
EUVD
EUVD-2026-27747
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.2 (inc) to 6.6.128 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.75 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.16 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.6 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.165 (exc)
linux linux_kernel From 5.15 (inc) to 5.15.202 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's IPv6 ioam (In-situ OAM) feature, specifically in the function __ioam6_fill_trace_data(). The function uses a field called nodelen from incoming packets to determine how much data to write for each node, but it does not verify that nodelen is consistent with another field called type, which indicates which data items are present.

An attacker can craft a malicious packet that sets nodelen to 0 while setting certain bits in the type field, causing the function to write approximately 100 bytes beyond the allocated memory region. This leads to heap buffer overflow, corrupting adjacent memory and potentially causing a kernel panic.

The fix involves adding a helper function to compute the expected nodelen from the type field and dropping packets where nodelen is inconsistent with type before any data is written.

Impact Analysis

This vulnerability can lead to a heap buffer overflow in the Linux kernel, which may cause memory corruption and result in a kernel panic (system crash).

Exploitation of this flaw could disrupt system stability and availability, potentially causing denial of service conditions on affected systems.

Mitigation Strategies

The vulnerability is fixed by adding a consistency check on the nodelen field against the type field in the Linux kernel's ioam6 code. To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix.

Specifically, the fix involves dropping packets whose nodelen is inconsistent with the type field before any data is written, preventing heap buffer overflow and kernel panic.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43186. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart