9.8

CVE-2026-43186

EPSS 0.18%
Veröffentlicht 06.05.2026 11:27:57
Zuletzt bearbeitet 11.05.2026 20:40:56
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

ipv6: ioam: fix heap buffer overflow in __ioam6_fill_trace_data()

In the Linux kernel, the following vulnerability has been resolved:

ipv6: ioam: fix heap buffer overflow in __ioam6_fill_trace_data()

On the receive path, __ioam6_fill_trace_data() uses trace->nodelen
to decide how much data to write for each node. It trusts this field
as-is from the incoming packet, with no consistency check against
trace->type (the 24-bit field that tells which data items are
present). A crafted packet can set nodelen=0 while setting type bits
0-21, causing the function to write ~100 bytes past the allocated
region (into skb_shared_info), which corrupts adjacent heap memory
and leads to a kernel panic.

Add a shared helper ioam6_trace_compute_nodelen() in ioam6.c to
derive the expected nodelen from the type field, and use it:

  - in ioam6_iptunnel.c (send path, existing validation) to replace
    the open-coded computation;
  - in exthdrs.c (receive path, ipv6_hop_ioam) to drop packets whose
    nodelen is inconsistent with the type field, before any data is
    written.

Per RFC 9197, bits 12-21 are each short (4-octet) fields, so they
are included in IOAM6_MASK_SHORT_FIELDS (changed from 0xff100000 to
0xff1ffc00).

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 10

NVD 6 VulnDex Vulnerability Enrichment 8

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Linux ≫ Linux Kernel Version >= 5.15 < 5.15.202

Linux ≫ Linux Kernel Version >= 5.16 < 6.1.165

Linux ≫ Linux Kernel Version >= 6.2 < 6.6.128

Linux ≫ Linux Kernel Version >= 6.7 < 6.12.75

Linux ≫ Linux Kernel Version >= 6.13 < 6.18.16

Linux ≫ Linux Kernel Version >= 6.19 < 6.19.6

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.18%	0.393

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
416baaa9-dc9f-4396-8d5f-8c081fb06d67	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

https://git.kernel.org/stable/c/f4d9d4b8fd839719d564651671e24c62c545c23b

Patch

https://git.kernel.org/stable/c/fb3c662fafebc5b9d74417ed1de8759f6bb72143

Patch

https://git.kernel.org/stable/c/632d233cf2e64a46865ae2c064ae3c9df7c8864f

Patch

https://git.kernel.org/stable/c/0591d6509c2ff13f09ea2998434aba0c0472e978

Patch

https://git.kernel.org/stable/c/e90346a2f1e8917d5760a44a1f61c44e3b36d96b

Patch

https://git.kernel.org/stable/c/ea3632aefc04205436868541638e26f4a74d5637

Patch

https://git.kernel.org/stable/c/6db8b56eed62baacaf37486e83378a72635c04cc

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-43186

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-43186

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-43186

EUVD