Description
In the Linux kernel, the following vulnerability has been resolved:

net: ioam6: fix OOB and missing lock

When trace->type.bit6 is set:

if (trace->type.bit6) {
...
queue = skb_get_tx_queue(dev, skb);
qdisc = rcu_dereference(queue->qdisc);

This code can lead to an out-of-bounds access of the dev->_tx[] array
when is_input is true. In such a case, the packet is on the RX path and
skb->queue_mapping contains the RX queue index of the ingress device. If
the ingress device has more RX queues than the egress device (dev) has
TX queues, skb_get_queue_mapping(skb) will exceed dev->num_tx_queues.
Add a check to avoid this situation since skb_get_tx_queue() does not
clamp the index. This issue has also revealed that per queue visibility
cannot be accurate and will be replaced later as a new feature.

While at it, add missing lock around qdisc_qstats_qlen_backlog(). The
function __ioam6_fill_trace_data() is called from both softirq and
process contexts, hence the use of spin_lock_bh() here.
Published: 2026-05-06
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the Linux kernel's IOAM6 subsystem allows an out‑of‑bounds array access when trace->type.bit6 is set. The code calls skb_get_tx_queue() without clamping the index, so a packet arriving on the ingress device’s RX path can be mapped to a TX queue index that exceeds dev->num_tx_queues of the egress device. This can corrupt memory in the dev->_tx[] array, potentially leading to a system crash or arbitrary code execution. Additionally, a missing lock around qdisc_qstats_qlen_backlog() introduces a race condition when __ioam6_fill_trace_data() runs in both softirq and process contexts, further increasing the chance of undefined behavior.

Affected Systems

All Linux kernel installations that contain the IOAM6 networking code and have not applied the patch are affected. No specific kernel version or distribution is listed, so the impact applies to any kernel built before the changes were merged.

Risk and Exploitability

No publicly known exploit exists and the vulnerability is not listed in the CISA KEV catalog. Because the flaw is triggered by specially crafted network traffic, the attack vector is likely remote over a network interface that uses IOAM6. The CVSS score is not provided but the nature of the out‑of‑bounds memory corruption suggests a high severity level. The EPSS score is unavailable, so the current exploitation probability cannot be quantified. Nonetheless, the potential for kernel crashes and the absence of a mitigation in older kernels warrant prompt attention.

Generated by OpenCVE AI on May 6, 2026 at 11:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel update that contains the fix for CVE-2026-43083
  • If immediate patching is not possible, disable IOAM6 support in device configuration or unload the related kernel module until the patch is installed
  • After changes, monitor system logs for signs of kernel crashes or out‑of‑bounds errors and verify that the system is stable

Generated by OpenCVE AI on May 6, 2026 at 11:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 11:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
CWE-362

Wed, 06 May 2026 09:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: ioam6: fix OOB and missing lock When trace->type.bit6 is set: if (trace->type.bit6) { ... queue = skb_get_tx_queue(dev, skb); qdisc = rcu_dereference(queue->qdisc); This code can lead to an out-of-bounds access of the dev->_tx[] array when is_input is true. In such a case, the packet is on the RX path and skb->queue_mapping contains the RX queue index of the ingress device. If the ingress device has more RX queues than the egress device (dev) has TX queues, skb_get_queue_mapping(skb) will exceed dev->num_tx_queues. Add a check to avoid this situation since skb_get_tx_queue() does not clamp the index. This issue has also revealed that per queue visibility cannot be accurate and will be replaced later as a new feature. While at it, add missing lock around qdisc_qstats_qlen_backlog(). The function __ioam6_fill_trace_data() is called from both softirq and process contexts, hence the use of spin_lock_bh() here.
Title net: ioam6: fix OOB and missing lock
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-06T07:40:18.504Z

Reserved: 2026-05-01T14:12:55.983Z

Link: CVE-2026-43083

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-06T10:16:21.493

Modified: 2026-05-06T10:16:21.493

Link: CVE-2026-43083

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T11:30:26Z

Weaknesses