CVE-2026-43038

Description

In the Linux kernel, the following vulnerability has been resolved: ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach() Sashiko AI-review observed: In ip6_err_gen_icmpv6_unreach(), the skb is an outer IPv4 ICMP error packet where its cb contains an IPv4 inet_skb_parm. When skb is cloned into skb2 and passed to icmp6_send(), it uses IP6CB(skb2). IP6CB interprets the IPv4 inet_skb_parm as an inet6_skb_parm. The cipso offset in inet_skb_parm.opt directly overlaps with dsthao in inet6_skb_parm at offset 18. If an attacker sends a forged ICMPv4 error with a CIPSO IP option, dsthao would be a non-zero offset. Inside icmp6_send(), mip6_addr_swap() is called and uses ipv6_find_tlv(skb, opt->dsthao, IPV6_TLV_HAO). This would scan the inner, attacker-controlled IPv6 packet starting at that offset, potentially returning a fake TLV without checking if the remaining packet length can hold the full 18-byte struct ipv6_destopt_hao. Could mip6_addr_swap() then perform a 16-byte swap that extends past the end of the packet data into skb_shared_info? Should the cb array also be cleared in ip6_err_gen_icmpv6_unreach() and ip6ip6_err() to prevent this? This patch implements the first suggestion. I am not sure if ip6ip6_err() needs to be changed. A separate patch would be better anyway.

CVSS Metrics

• v3.1•CRITICAL•Score: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 0.08%• Percentile: 23%

Affected Systems

• linux•linux

  ≥ ca15a078bd907df5fc1c009477869c5cbde3b753, < c438ba010171b70bad22fc18b1d5bdc3627476e8 | ≥ ca15a078bd907df5fc1c009477869c5cbde3b753, < 0452b6526b2f54b2413b9cb4ff1ea2ac542c99c7 | ≥ ca15a078bd907df5fc1c009477869c5cbde3b753, < a4437faf135da293d16fcc4cc607316742bd0ebb | ≥ ca15a078bd907df5fc1c009477869c5cbde3b753, < 3d5127d998de617b130aae96b138dba22ac6a8a7 | ≥ ca15a078bd907df5fc1c009477869c5cbde3b753, < e41953e7d118e2702bcb217879c173d9d1d3cd4e | ≥ ca15a078bd907df5fc1c009477869c5cbde3b753, < a2edbb6393972a02114b6003953a5cef3104fada | ≥ ca15a078bd907df5fc1c009477869c5cbde3b753, < 1ceeebd5bd6d855b17a5df625109bfe29129d7cf | ≥ ca15a078bd907df5fc1c009477869c5cbde3b753, < 86ab3e55673a7a49a841838776f1ab18d23a67b5 | 3.13

• linux•linux_kernel

  > 3.13, < 5.10.253 | ≥ 5.11, < 5.15.203 | ≥ 5.16, < 6.1.168 | ≥ 6.2, < 6.6.134 | ≥ 6.7, < 6.12.81 | ≥ 6.13, < 6.18.22 | ≥ 6.19, < 6.19.12 | 3.13 | 3.13:rc3 | 3.13:rc4 | 3.13:rc5 | 3.13:rc6 | 3.13:rc7 | 3.13:rc8 | 7.0:rc1 | 7.0:rc2 | 7.0:rc3 | 7.0:rc4 | 7.0:rc5 | 7.0:rc6

References (8)

• https://git.kernel.org/stable/c/c438ba010171b70bad22fc18b1d5bdc3627476e8
• https://git.kernel.org/stable/c/0452b6526b2f54b2413b9cb4ff1ea2ac542c99c7
• https://git.kernel.org/stable/c/a4437faf135da293d16fcc4cc607316742bd0ebb
• https://git.kernel.org/stable/c/3d5127d998de617b130aae96b138dba22ac6a8a7
• https://git.kernel.org/stable/c/e41953e7d118e2702bcb217879c173d9d1d3cd4e
• https://git.kernel.org/stable/c/a2edbb6393972a02114b6003953a5cef3104fada
• https://git.kernel.org/stable/c/1ceeebd5bd6d855b17a5df625109bfe29129d7cf
• https://git.kernel.org/stable/c/86ab3e55673a7a49a841838776f1ab18d23a67b5