CVE-2026-43341
Received Received - Intake
Integer Overflow in Linux Kernel ioam6 Trace Fill

Publication date: 2026-05-08

Last updated on: 2026-05-11

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net/ipv6: ioam6: prevent schema length wraparound in trace fill ioam6_fill_trace_data() stores the schema contribution to the trace length in a u8. With bit 22 enabled and the largest schema payload, sclen becomes 1 + 1020 / 4, wraps from 256 to 0, and bypasses the remaining-space check. __ioam6_fill_trace_data() then positions the write cursor without reserving the schema area but still copies the 4-byte schema header and the full schema payload, overrunning the trace buffer. Keep sclen in an unsigned int so the remaining-space check and the write cursor calculation both see the full schema length.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-11
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-43341
EUVD
EUVD-2026-28625
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's ioam6 feature within the IPv6 networking code. Specifically, the function ioam6_fill_trace_data() uses an 8-bit unsigned integer (u8) to store the schema length contribution to the trace buffer. When certain conditions are met (bit 22 enabled and the largest schema payload), the schema length value wraps around from 256 back to 0, bypassing the check that ensures there is enough remaining space in the trace buffer.

As a result, the function __ioam6_fill_trace_data() incorrectly positions the write cursor without reserving space for the schema area but still copies the full schema header and payload. This causes a buffer overrun in the trace buffer.

The fix involves changing the schema length variable from an 8-bit unsigned integer to an unsigned int, ensuring that the remaining-space check and write cursor calculation correctly account for the full schema length and prevent the buffer overrun.

Impact Analysis

This vulnerability can lead to a buffer overrun in the Linux kernel's IPv6 ioam6 tracing functionality. Buffer overruns can cause memory corruption, which may result in system instability, crashes, or potentially allow an attacker to execute arbitrary code with kernel privileges.

Exploitation of this vulnerability could compromise the security and reliability of systems running vulnerable Linux kernel versions, potentially leading to denial of service or privilege escalation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43341. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart