5.5

CVE-2026-53263

6lowpan: fix off-by-one in multicast context address compression

In the Linux kernel, the following vulnerability has been resolved:

6lowpan: fix off-by-one in multicast context address compression

The second memcpy in lowpan_iphc_mcast_ctx_addr_compress() uses
&data[1] as destination and &ipaddr->s6_addr[11] as source, but
both should be offset by one: &data[2] and &ipaddr->s6_addr[12]
respectively.

This off-by-one has two consequences:
1. data[1] is overwritten with s6_addr[11], corrupting the RIID
   field in the compressed multicast address
2. data[5] is never written, so uninitialized kernel stack memory
   is transmitted over the network via lowpan_push_hc_data(),
   leaking kernel stack contents

The correct inline data layout must match what the decompression
function lowpan_uncompress_multicast_ctx_daddr() expects:
  data[0..1] = s6_addr[1..2]  (flags/scope + RIID)
  data[2..5] = s6_addr[12..15] (group ID)

Also zero-initialize the data array as a defensive measure against
similar bugs in the future.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 4.6 < 5.10.259
LinuxLinux Kernel Version >= 5.11 < 5.15.210
LinuxLinux Kernel Version >= 5.16 < 6.1.176
LinuxLinux Kernel Version >= 6.2 < 6.6.143
LinuxLinux Kernel Version >= 6.7 < 6.12.94
LinuxLinux Kernel Version >= 6.13 < 6.18.36
LinuxLinux Kernel Version >= 6.19 < 7.0.13
LinuxLinux Kernel Version7.1 Updaterc1
LinuxLinux Kernel Version7.1 Updaterc2
LinuxLinux Kernel Version7.1 Updaterc3
LinuxLinux Kernel Version7.1 Updaterc4
LinuxLinux Kernel Version7.1 Updaterc5
LinuxLinux Kernel Version7.1 Updaterc6
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.12% 0.021
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.5 1.8 3.6
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE-193 Off-by-one Error

A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.

https://git.kernel.org/stable/c/f24a58c72a45f4c109f3557a760cc4b60b7a6037
Patch
https://git.kernel.org/stable/c/da8cbb64b47e9066b40af0de170901caf17b768c
Patch
https://git.kernel.org/stable/c/4485d79617520d84ba5a14515e2b5136007d6deb
Patch
https://git.kernel.org/stable/c/06ce6fc106b16dec9b535950db626261be865e5b
Patch
https://git.kernel.org/stable/c/dcb1bec1c32ee5c3878354e087cf5dbee2b7c7af
Patch
https://git.kernel.org/stable/c/c32f30ef5e66adbfa102348e2e8a23776eb007cb
Patch
https://git.kernel.org/stable/c/da8808463882c3f3c357b072e25053c2121f1419
Patch
https://git.kernel.org/stable/c/2a58899d11009bffc7b4b32a571858f381121837
Patch