CVE-2026-43037 - Vulnerability Details

- ip6_tunnel: clear skb2->cb[] in ip4ip6_err()

Description

In the Linux kernel, the following vulnerability has been resolved:

ip6_tunnel: clear skb2->cb[] in ip4ip6_err()

Oskar Kjos reported the following problem.

ip4ip6_err() calls icmp_send() on a cloned skb whose cb[] was written
by the IPv6 receive path as struct inet6_skb_parm. icmp_send() passes
IPCB(skb2) to __ip_options_echo(), which interprets that cb[] region
as struct inet_skb_parm (IPv4). The layouts differ: inet6_skb_parm.nhoff
at offset 14 overlaps inet_skb_parm.opt.rr, producing a non-zero rr
value. __ip_options_echo() then reads optlen from attacker-controlled
packet data at sptr[rr+1] and copies that many bytes into dopt->__data,
a fixed 40-byte stack buffer (IP_OPTIONS_DATA_FIXED_SIZE).

To fix this we clear skb2->cb[], as suggested by Oskar Kjos.

Also add minimal IPv4 header validation (version == 4, ihl >= 5).

Published: 2026-05-01

Score: 7.0 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A stack buffer overflow occurs when handling error messages for IPv4-over-IPv6 tunnels. The error path clones a packet, leaving its control block formatted as IPv6, but subsequent code interprets it as IPv4. The mis‑alignment permits an attacker to control the length field and copy more bytes into a 40‑byte stack buffer, enabling arbitrary code execution on the kernel.

Affected Systems

All Linux kernel builds prior to the fix that clears skb2->cb[] and adds minimal IPv4 header validation are vulnerable. The issue appears on any architecture where the ip6_tunnel subsystem is enabled.

Risk and Exploitability

The CVSS score of 7.0 indicates moderate‑to‑high severity. EPSS is not available and the vulnerability is not listed in CISA’s KEV catalog, so no wide‑spread exploits are known yet. The attack vector is network‑based; an adversary can send crafted IPv4‑in‑IPv6 packets to any exposed IP address, triggering the overflow without authentication or special privileges.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`c4d3efafcc933fd2ffd169d7dc4f980393a13796`	affected	< ea9f65b27c8404e164848ebff1443310fd187629
`c4d3efafcc933fd2ffd169d7dc4f980393a13796`	affected	< d6621f60192fe10c047a4487be42a6f4c150707f
`c4d3efafcc933fd2ffd169d7dc4f980393a13796`	affected	< 2cc6e3b0fe0f0242d1f530a93a4924f48ab85ba5
`c4d3efafcc933fd2ffd169d7dc4f980393a13796`	affected	< a0c4ce9900a108eaf55d0f3b399cb55999647d39
`c4d3efafcc933fd2ffd169d7dc4f980393a13796`	affected	< 1063515ce15ff31065c4e7f8265f4c2fd3c54876
`c4d3efafcc933fd2ffd169d7dc4f980393a13796`	affected	< 590f622669b97eaf7b57a1de7b0a6e68c5d8b2c3
`c4d3efafcc933fd2ffd169d7dc4f980393a13796`	affected	< 4a622658f384b03560834cbe8ffcfe69a278f7c8
`c4d3efafcc933fd2ffd169d7dc4f980393a13796`	affected	< 2edfa31769a4add828a7e604b21cb82aaaa05925

Linux

affected

Version	Status	Constraints
`2.6.22`	affected	—
`0`	unaffected	< 2.6.22
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.168`	unaffected	≤ 6.1.*
`6.6.134`	unaffected	≤ 6.6.*
`6.12.81`	unaffected	≤ 6.12.*
`6.18.22`	unaffected	≤ 6.18.*
`6.19.12`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[c4d3efafcc933fd2ffd169d7dc4f980393a13796,ea9f65b27c8404e164848ebff1443310fd187629)`	affected	code_commit	—
`[c4d3efafcc933fd2ffd169d7dc4f980393a13796,d6621f60192fe10c047a4487be42a6f4c150707f)`	affected	code_commit	—
`[c4d3efafcc933fd2ffd169d7dc4f980393a13796,2cc6e3b0fe0f0242d1f530a93a4924f48ab85ba5)`	affected	code_commit	—
`[c4d3efafcc933fd2ffd169d7dc4f980393a13796,a0c4ce9900a108eaf55d0f3b399cb55999647d39)`	affected	code_commit	—
`[c4d3efafcc933fd2ffd169d7dc4f980393a13796,1063515ce15ff31065c4e7f8265f4c2fd3c54876)`	affected	code_commit	—
`[c4d3efafcc933fd2ffd169d7dc4f980393a13796,590f622669b97eaf7b57a1de7b0a6e68c5d8b2c3)`	affected	code_commit	—
`[c4d3efafcc933fd2ffd169d7dc4f980393a13796,4a622658f384b03560834cbe8ffcfe69a278f7c8)`	affected	code_commit	—
`[c4d3efafcc933fd2ffd169d7dc4f980393a13796,2edfa31769a4add828a7e604b21cb82aaaa05925)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`2.6.22`	affected	semver	—
`[0,2.6.22)`	unaffected	generic	—
`[5.10.253,5.11.0)`	unaffected	semver	—
`[5.15.203,5.16.0)`	unaffected	semver	—
`[6.1.168,6.2.0)`	unaffected	semver	—
`[6.6.134,6.7.0)`	unaffected	semver	—
`[6.12.81,6.13.0)`	unaffected	semver	—
`[6.18.22,6.19.0)`	unaffected	semver	—
`[6.19.12,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to a Linux kernel version that includes the ip4ip6_err patch.
If an upgrade is not possible, disable the ip6_tunnel interface to remove the vulnerable code path.
Configure firewall rules to drop malformed IPv4-in-IPv6 packets and monitor network traffic for suspicious tunneled traffic.

Generated by OpenCVE AI on May 2, 2026 at 10:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4561-1	linux-6.1 security update
Debian DSA	DSA-6243-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/1063515ce15ff31065c4e7f8265f4c2fd3c54876
https://git.kernel.org/stable/c/2cc6e3b0fe0f0242d1f530a93a4924f48ab85ba5
https://git.kernel.org/stable/c/2edfa31769a4add828a7e604b21cb82aaaa05925
https://git.kernel.org/stable/c/4a622658f384b03560834cbe8ffcfe69a278f7c8
https://git.kernel.org/stable/c/590f622669b97eaf7b57a1de7b0a6e68c5d8b2c3
https://git.kernel.org/stable/c/a0c4ce9900a108eaf55d0f3b399cb55999647d39
https://git.kernel.org/stable/c/d6621f60192fe10c047a4487be42a6f4c150707f
https://git.kernel.org/stable/c/ea9f65b27c8404e164848ebff1443310fd187629
https://lore.kernel.org/linux-cve-announce/2026050102-CVE-2026-43037-0346@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43037
https://www.cve.org/CVERecord?id=CVE-2026-43037

History

Sat, 02 May 2026 10:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-120

Sat, 02 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026050102-CVE-2026-43037-0346@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43037 https://www.cve.org/CVERecord?id=CVE-2026-43037
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Important`

Fri, 01 May 2026 23:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-120

Fri, 01 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: clear skb2->cb[] in ip4ip6_err() Oskar Kjos reported the following problem. ip4ip6_err() calls icmp_send() on a cloned skb whose cb[] was written by the IPv6 receive path as struct inet6_skb_parm. icmp_send() passes IPCB(skb2) to __ip_options_echo(), which interprets that cb[] region as struct inet_skb_parm (IPv4). The layouts differ: inet6_skb_parm.nhoff at offset 14 overlaps inet_skb_parm.opt.rr, producing a non-zero rr value. __ip_options_echo() then reads optlen from attacker-controlled packet data at sptr[rr+1] and copies that many bytes into dopt->__data, a fixed 40-byte stack buffer (IP_OPTIONS_DATA_FIXED_SIZE). To fix this we clear skb2->cb[], as suggested by Oskar Kjos. Also add minimal IPv4 header validation (version == 4, ihl >= 5).
Title		ip6_tunnel: clear skb2->cb[] in ip4ip6_err()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/1063515ce15ff31065c4e7f8265f4c2fd3c54876 https://git.kernel.org/stable/c/2cc6e3b0fe0f0242d1f530a93a4924f48ab85ba5 https://git.kernel.org/stable/c/2edfa31769a4add828a7e604b21cb82aaaa05925 https://git.kernel.org/stable/c/4a622658f384b03560834cbe8ffcfe69a278f7c8 https://git.kernel.org/stable/c/590f622669b97eaf7b57a1de7b0a6e68c5d8b2c3 https://git.kernel.org/stable/c/a0c4ce9900a108eaf55d0f3b399cb55999647d39 https://git.kernel.org/stable/c/d6621f60192fe10c047a4487be42a6f4c150707f https://git.kernel.org/stable/c/ea9f65b27c8404e164848ebff1443310fd187629

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-01T14:15:35.314Z

Updated: 2026-05-01T14:15:35.314Z

Reserved: 2026-05-01T14:12:55.978Z

Link: CVE-2026-43037

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-01T15:16:48.383

Modified: 2026-05-01T15:24:14.893

Link: CVE-2026-43037

Redhat

Severity : Important

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-43037 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-02T10:15:16Z

Weaknesses

No weakness.

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object