9.8
CVE-2026-43038
- EPSS 0.26%
- Veröffentlicht 01.05.2026 14:15:35
- Zuletzt bearbeitet 30.06.2026 03:19:43
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach()
In the Linux kernel, the following vulnerability has been resolved: ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach() Sashiko AI-review observed: In ip6_err_gen_icmpv6_unreach(), the skb is an outer IPv4 ICMP error packet where its cb contains an IPv4 inet_skb_parm. When skb is cloned into skb2 and passed to icmp6_send(), it uses IP6CB(skb2). IP6CB interprets the IPv4 inet_skb_parm as an inet6_skb_parm. The cipso offset in inet_skb_parm.opt directly overlaps with dsthao in inet6_skb_parm at offset 18. If an attacker sends a forged ICMPv4 error with a CIPSO IP option, dsthao would be a non-zero offset. Inside icmp6_send(), mip6_addr_swap() is called and uses ipv6_find_tlv(skb, opt->dsthao, IPV6_TLV_HAO). This would scan the inner, attacker-controlled IPv6 packet starting at that offset, potentially returning a fake TLV without checking if the remaining packet length can hold the full 18-byte struct ipv6_destopt_hao. Could mip6_addr_swap() then perform a 16-byte swap that extends past the end of the packet data into skb_shared_info? Should the cb array also be cleared in ip6_err_gen_icmpv6_unreach() and ip6ip6_err() to prevent this? This patch implements the first suggestion. I am not sure if ip6ip6_err() needs to be changed. A separate patch would be better anyway.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Linux ≫ Linux Kernel Version > 3.13 < 5.10.253
Linux ≫ Linux Kernel Version >= 5.11 < 5.15.203
Linux ≫ Linux Kernel Version >= 5.16 < 6.1.168
Linux ≫ Linux Kernel Version >= 6.2 < 6.6.134
Linux ≫ Linux Kernel Version >= 6.7 < 6.12.81
Linux ≫ Linux Kernel Version >= 6.13 < 6.18.22
Linux ≫ Linux Kernel Version >= 6.19 < 6.19.12
Linux ≫ Linux Kernel Version3.13 Update-
Linux ≫ Linux Kernel Version3.13 Updaterc3
Linux ≫ Linux Kernel Version3.13 Updaterc4
Linux ≫ Linux Kernel Version3.13 Updaterc5
Linux ≫ Linux Kernel Version3.13 Updaterc6
Linux ≫ Linux Kernel Version3.13 Updaterc7
Linux ≫ Linux Kernel Version3.13 Updaterc8
Linux ≫ Linux Kernel Version7.0 Updaterc1
Linux ≫ Linux Kernel Version7.0 Updaterc2
Linux ≫ Linux Kernel Version7.0 Updaterc3
Linux ≫ Linux Kernel Version7.0 Updaterc4
Linux ≫ Linux Kernel Version7.0 Updaterc5
Linux ≫ Linux Kernel Version7.0 Updaterc6
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.26% | 0.168 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | 7.3 | 1.8 | 5.5 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H
|
CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')
The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.
https://git.kernel.org/stable/c/c438ba010171b70bad22fc18b1d5bdc3627476e8
https://git.kernel.org/stable/c/0452b6526b2f54b2413b9cb4ff1ea2ac542c99c7
https://git.kernel.org/stable/c/a4437faf135da293d16fcc4cc607316742bd0ebb
https://git.kernel.org/stable/c/3d5127d998de617b130aae96b138dba22ac6a8a7
https://git.kernel.org/stable/c/e41953e7d118e2702bcb217879c173d9d1d3cd4e
https://git.kernel.org/stable/c/a2edbb6393972a02114b6003953a5cef3104fada
https://git.kernel.org/stable/c/1ceeebd5bd6d855b17a5df625109bfe29129d7cf
https://git.kernel.org/stable/c/86ab3e55673a7a49a841838776f1ab18d23a67b5
https://access.redhat.com/errata/RHSA-2026:22900
https://access.redhat.com/errata/RHSA-2026:22940
https://access.redhat.com/errata/RHSA-2026:22964
https://access.redhat.com/errata/RHSA-2026:23224
https://access.redhat.com/errata/RHSA-2026:23237
https://access.redhat.com/errata/RHSA-2026:24343
https://access.redhat.com/errata/RHSA-2026:25120
https://access.redhat.com/errata/RHSA-2026:25121
https://access.redhat.com/errata/RHSA-2026:25533
https://access.redhat.com/errata/RHSA-2026:26535
https://access.redhat.com/errata/RHSA-2026:30848
https://access.redhat.com/errata/RHSA-2026:30129
https://access.redhat.com/security/cve/CVE-2026-43038
https://bugzilla.redhat.com/show_bug.cgi?id=2464397
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-43038.json