CVE-2026-43341
Integer Overflow in Linux Kernel ioam6 Trace Fill
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's ioam6 feature within the IPv6 networking code. Specifically, the function ioam6_fill_trace_data() uses an 8-bit unsigned integer (u8) to store the schema length contribution to the trace buffer. When certain conditions are met (bit 22 enabled and the largest schema payload), the schema length value wraps around from 256 back to 0, bypassing the check that ensures there is enough remaining space in the trace buffer.
As a result, the function __ioam6_fill_trace_data() incorrectly positions the write cursor without reserving space for the schema area but still copies the full schema header and payload. This causes a buffer overrun in the trace buffer.
The fix involves changing the schema length variable from an 8-bit unsigned integer to an unsigned int, ensuring that the remaining-space check and write cursor calculation correctly account for the full schema length and prevent the buffer overrun.
How can this vulnerability impact me? :
This vulnerability can lead to a buffer overrun in the Linux kernel's IPv6 ioam6 tracing functionality. Buffer overruns can cause memory corruption, which may result in system instability, crashes, or potentially allow an attacker to execute arbitrary code with kernel privileges.
Exploitation of this vulnerability could compromise the security and reliability of systems running vulnerable Linux kernel versions, potentially leading to denial of service or privilege escalation.