Description
In the Linux kernel, the following vulnerability has been resolved:

net: ipv6: ndisc: fix ndisc_ra_useropt to initialize nduseropt_padX fields to zero to prevent an info-leak

When processing Router Advertisements with user options the kernel
builds an RTM_NEWNDUSEROPT netlink message. The nduseroptmsg struct
has three padding fields that are never zeroed and can leak kernel data

The fix is simple, just zeroes the padding fields.
Published: 2026-05-01
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Linux kernel’s handling of IPv6 Router Advertisements that contain user options. When such a message is processed, the kernel constructs a netlink message (RTM_NEWNDUSEROPT) containing a structure with three padding fields that are never initialized. An attacker can read these uninitialized fields, causing kernel memory contents to be exposed outside the kernel. The primary impact is an information disclosure which could reveal sensitive kernel data to the adversary. The weakness is an instance of uninitialized memory usage leading to data leakage.

Affected Systems

All Linux kernel installations that include the unpatched form of the ndisc_ra_useropt routine. The specific CVE references the underlying commit changes, but exact version ranges are not enumerated in the data. Systems running any kernel that has not applied the patch from the provided git commits are potentially vulnerable.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate to high risk for this vulnerability. The EPSS score of 0.032% indicates a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The vulnerability is likely exploitable remotely over a network by an attacker who can inject crafted IPv6 Router Advertisements targeting the vulnerable host. The uninitialized padding fields provide a read‑only vector for kernel data leaks. As the attack requires only network‑level communication, the attack vector can be inferred to be remote network. The lack of documented exploitation mitigates the immediate threat, but the presence of the flaw warrants prompt remediation.

Generated by OpenCVE AI on May 8, 2026 at 21:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the patch for the ndisc_ra_useropt padding fields
  • Reboot the system to load the updated kernel
  • Configure firewall rules to restrict or block unsolicited IPv6 Router Advertisement traffic

Generated by OpenCVE AI on May 8, 2026 at 21:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DLA Debian DLA DLA-4606-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Fri, 08 May 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H'}

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-909
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 01 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: ipv6: ndisc: fix ndisc_ra_useropt to initialize nduseropt_padX fields to zero to prevent an info-leak When processing Router Advertisements with user options the kernel builds an RTM_NEWNDUSEROPT netlink message. The nduseroptmsg struct has three padding fields that are never zeroed and can leak kernel data The fix is simple, just zeroes the padding fields.
Title net: ipv6: ndisc: fix ndisc_ra_useropt to initialize nduseropt_padX fields to zero to prevent an info-leak
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:16:33.369Z

Reserved: 2026-05-01T14:12:55.978Z

Link: CVE-2026-43040

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-01T15:16:50.130

Modified: 2026-05-08T18:53:20.333

Link: CVE-2026-43040

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-43040 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T21:15:05Z

Weaknesses