CVE-2026-53228
Received Received - Intake
Buffer Overflow in Linux Kernel IPv6 SIT Module

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ipv6: sit: reload inner IPv6 header after GSO offloads ipip6_tunnel_xmit() caches the inner IPv6 header pointer at function entry and continues using it after iptunnel_handle_offloads(). For GSO skbs, iptunnel_handle_offloads() calls skb_header_unclone(). When the skb header is cloned, skb_header_unclone() can call pskb_expand_head(), which may move the skb head. The pskb_expand_head() contract requires pointers into the skb header to be reloaded after the call. If the later skb_realloc_headroom() branch is not taken, SIT uses the stale iph6 pointer to read the inner hop limit and DS field. That can read from a freed skb head after the old head's remaining clone is released. Reload iph6 after the offload helper succeeds and before subsequent reads from the inner IPv6 header. Keep the existing reload after skb_realloc_headroom(), since that branch can also replace the skb.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53228
EUVD
EUVD-2026-39319
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's handling of IPv6 tunneling with SIT (Simple Internet Transition). Specifically, the function ipip6_tunnel_xmit() caches a pointer to the inner IPv6 header at the start and continues to use it after offload processing by iptunnel_handle_offloads().

For Generic Segmentation Offload (GSO) socket buffers (skbs), iptunnel_handle_offloads() calls skb_header_unclone(), which may invoke pskb_expand_head(). This function can move the skb header, requiring pointers into the skb header to be reloaded afterward.

If the skb_realloc_headroom() branch is not taken, SIT uses a stale pointer to the inner IPv6 header to read fields like the hop limit and DS field. This stale pointer can reference a freed skb head after the last clone of the old head is released, leading to use-after-free conditions.

The fix involves reloading the inner IPv6 header pointer after the offload helper succeeds and before any subsequent reads, ensuring that the pointer is always valid.

Impact Analysis

This vulnerability can lead to the Linux kernel accessing freed memory due to stale pointers when processing IPv6 tunneled packets with GSO offloads.

Such use-after-free conditions can cause kernel crashes, instability, or potentially allow attackers to execute arbitrary code or cause denial of service by exploiting the memory corruption.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53228. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart