Description
In the Linux kernel, the following vulnerability has been resolved:

ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach()

Sashiko AI-review observed:

In ip6_err_gen_icmpv6_unreach(), the skb is an outer IPv4 ICMP error packet
where its cb contains an IPv4 inet_skb_parm. When skb is cloned into skb2
and passed to icmp6_send(), it uses IP6CB(skb2).

IP6CB interprets the IPv4 inet_skb_parm as an inet6_skb_parm. The cipso
offset in inet_skb_parm.opt directly overlaps with dsthao in inet6_skb_parm
at offset 18.

If an attacker sends a forged ICMPv4 error with a CIPSO IP option, dsthao
would be a non-zero offset. Inside icmp6_send(), mip6_addr_swap() is called
and uses ipv6_find_tlv(skb, opt->dsthao, IPV6_TLV_HAO).

This would scan the inner, attacker-controlled IPv6 packet starting at that
offset, potentially returning a fake TLV without checking if the remaining
packet length can hold the full 18-byte struct ipv6_destopt_hao.

Could mip6_addr_swap() then perform a 16-byte swap that extends past the end
of the packet data into skb_shared_info?

Should the cb array also be cleared in ip6_err_gen_icmpv6_unreach() and
ip6ip6_err() to prevent this?

This patch implements the first suggestion.

I am not sure if ip6ip6_err() needs to be changed.
A separate patch would be better anyway.
Published: 2026-05-01
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises in the Linux kernel’s IPv6 error handling, where an outer IPv4 ICMP error packet is cloned and passed to ip6_err_gen_icmpv6_unreach(). The kernel interprets a field intended for IPv4 as IPv6, enabling an attacker to craft a packet that causes the kernel to read beyond the bounds of the received packet. This out‑of‑bounds read can result in a 16‑byte memory swap that writes past the end of the packet into the skb_shared_info structure, corrupting kernel memory and potentially allowing an attacker to execute arbitrary code with elevated privileges.

Affected Systems

All Linux kernel implementations are affected until the patch that clears skb2->cb[] in ip6_err_gen_icmpv6_unreach() is applied. Administrators should verify whether the kernel in use includes the fix by checking the changelog for the kernel version or by matching the commit hash that introduces the clear operation. Custom or custom‑patched kernels should also be examined to ensure the same code path has been updated.

Risk and Exploitability

The CVSS score is 9.8. The EPSS score is < 1%, indicating a low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The risk depends on whether the target system is exposed to crafted ICMPv4 error packets that contain a CIPSO option. An attacker would need to send such a malformed packet over a network that forwards ICMPv4 errors to the host. Although exploitation is not yet demonstrated publicly, the memory corruption could lead to kernel privilege escalation if the attack succeeds.

Generated by OpenCVE AI on May 8, 2026 at 20:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a version that includes the fix that clears skb2->cb[] in ip6_err_gen_icmpv6_unreach().
  • If an immediate kernel upgrade is not feasible, block or drop all incoming ICMPv4 packets that contain a CIPSO option at the network perimeter using firewall or ACL rules to prevent the malformed packet from reaching the kernel.
  • Configure network devices or intrusion prevention policies to refuse ICMPv4 error packets with unexpected or malicious IP options, ensuring that only well‑formed traffic reaches the host.

Generated by OpenCVE AI on May 8, 2026 at 20:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DLA Debian DLA DLA-4606-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Fri, 08 May 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:3.13:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:3.13:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:3.13:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:3.13:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:3.13:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:3.13:rc7:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:3.13:rc8:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*

Sun, 03 May 2026 06:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-843
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Fri, 01 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach() Sashiko AI-review observed: In ip6_err_gen_icmpv6_unreach(), the skb is an outer IPv4 ICMP error packet where its cb contains an IPv4 inet_skb_parm. When skb is cloned into skb2 and passed to icmp6_send(), it uses IP6CB(skb2). IP6CB interprets the IPv4 inet_skb_parm as an inet6_skb_parm. The cipso offset in inet_skb_parm.opt directly overlaps with dsthao in inet6_skb_parm at offset 18. If an attacker sends a forged ICMPv4 error with a CIPSO IP option, dsthao would be a non-zero offset. Inside icmp6_send(), mip6_addr_swap() is called and uses ipv6_find_tlv(skb, opt->dsthao, IPV6_TLV_HAO). This would scan the inner, attacker-controlled IPv6 packet starting at that offset, potentially returning a fake TLV without checking if the remaining packet length can hold the full 18-byte struct ipv6_destopt_hao. Could mip6_addr_swap() then perform a 16-byte swap that extends past the end of the packet data into skb_shared_info? Should the cb array also be cleared in ip6_err_gen_icmpv6_unreach() and ip6ip6_err() to prevent this? This patch implements the first suggestion. I am not sure if ip6ip6_err() needs to be changed. A separate patch would be better anyway.
Title ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:16:31.106Z

Reserved: 2026-05-01T14:12:55.978Z

Link: CVE-2026-43038

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-01T15:16:48.533

Modified: 2026-05-08T18:47:20.317

Link: CVE-2026-43038

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-43038 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T21:00:10Z

Weaknesses