9.8

CVE-2026-43037

ip6_tunnel: clear skb2->cb[] in ip4ip6_err()

In the Linux kernel, the following vulnerability has been resolved:

ip6_tunnel: clear skb2->cb[] in ip4ip6_err()

Oskar Kjos reported the following problem.

ip4ip6_err() calls icmp_send() on a cloned skb whose cb[] was written
by the IPv6 receive path as struct inet6_skb_parm. icmp_send() passes
IPCB(skb2) to __ip_options_echo(), which interprets that cb[] region
as struct inet_skb_parm (IPv4). The layouts differ: inet6_skb_parm.nhoff
at offset 14 overlaps inet_skb_parm.opt.rr, producing a non-zero rr
value. __ip_options_echo() then reads optlen from attacker-controlled
packet data at sptr[rr+1] and copies that many bytes into dopt->__data,
a fixed 40-byte stack buffer (IP_OPTIONS_DATA_FIXED_SIZE).

To fix this we clear skb2->cb[], as suggested by Oskar Kjos.

Also add minimal IPv4 header validation (version == 4, ihl >= 5).
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 2.6.22 < 5.10.253
LinuxLinux Kernel Version >= 5.11 < 5.15.203
LinuxLinux Kernel Version >= 5.16 < 6.1.168
LinuxLinux Kernel Version >= 6.2 < 6.6.134
LinuxLinux Kernel Version >= 6.7 < 6.12.81
LinuxLinux Kernel Version >= 6.13 < 6.18.22
LinuxLinux Kernel Version >= 6.19 < 6.19.12
LinuxLinux Kernel Version7.0 Updaterc1
LinuxLinux Kernel Version7.0 Updaterc2
LinuxLinux Kernel Version7.0 Updaterc3
LinuxLinux Kernel Version7.0 Updaterc4
LinuxLinux Kernel Version7.0 Updaterc5
LinuxLinux Kernel Version7.0 Updaterc6
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.56% 0.426
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
416baaa9-dc9f-4396-8d5f-8c081fb06d67 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')

The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.

https://git.kernel.org/stable/c/ea9f65b27c8404e164848ebff1443310fd187629
Patch
https://git.kernel.org/stable/c/d6621f60192fe10c047a4487be42a6f4c150707f
Patch
https://git.kernel.org/stable/c/2cc6e3b0fe0f0242d1f530a93a4924f48ab85ba5
Patch
https://git.kernel.org/stable/c/a0c4ce9900a108eaf55d0f3b399cb55999647d39
Patch
https://git.kernel.org/stable/c/1063515ce15ff31065c4e7f8265f4c2fd3c54876
Patch
https://git.kernel.org/stable/c/590f622669b97eaf7b57a1de7b0a6e68c5d8b2c3
Patch
https://git.kernel.org/stable/c/4a622658f384b03560834cbe8ffcfe69a278f7c8
Patch
https://git.kernel.org/stable/c/2edfa31769a4add828a7e604b21cb82aaaa05925
Patch
https://bugzilla.redhat.com/show_bug.cgi?id=2464351
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-43037.json
https://access.redhat.com/errata/RHSA-2026:25181
https://access.redhat.com/errata/RHSA-2026:26528
https://access.redhat.com/errata/RHSA-2026:26542
https://access.redhat.com/errata/RHSA-2026:28887
https://access.redhat.com/errata/RHSA-2026:28962
https://access.redhat.com/errata/RHSA-2026:22900
https://access.redhat.com/errata/RHSA-2026:22940
https://access.redhat.com/errata/RHSA-2026:23224
https://access.redhat.com/errata/RHSA-2026:25191
https://access.redhat.com/errata/RHSA-2026:25217
https://access.redhat.com/errata/RHSA-2026:22964
https://access.redhat.com/errata/RHSA-2026:23237
https://access.redhat.com/errata/RHSA-2026:24343
https://access.redhat.com/errata/RHSA-2026:25120
https://access.redhat.com/errata/RHSA-2026:25121
https://access.redhat.com/errata/RHSA-2026:25186
https://access.redhat.com/errata/RHSA-2026:25193
https://access.redhat.com/errata/RHSA-2026:25200
https://access.redhat.com/errata/RHSA-2026:25533
https://access.redhat.com/errata/RHSA-2026:25534
https://access.redhat.com/errata/RHSA-2026:26535
https://access.redhat.com/errata/RHSA-2026:27719
https://access.redhat.com/errata/RHSA-2026:27729
https://access.redhat.com/errata/RHSA-2026:28738
https://access.redhat.com/errata/RHSA-2026:28740
https://access.redhat.com/errata/RHSA-2026:28741
https://access.redhat.com/errata/RHSA-2026:28742
https://access.redhat.com/errata/RHSA-2026:28748
https://access.redhat.com/errata/RHSA-2026:28749
https://access.redhat.com/errata/RHSA-2026:28750
https://access.redhat.com/errata/RHSA-2026:33486
https://access.redhat.com/security/cve/CVE-2026-43037
https://access.redhat.com/errata/RHSA-2026:34098