Description
In the Linux kernel, the following vulnerability has been resolved:

net: ioam6: fix OOB and missing lock

When trace->type.bit6 is set:

if (trace->type.bit6) {
...
queue = skb_get_tx_queue(dev, skb);
qdisc = rcu_dereference(queue->qdisc);

This code can lead to an out-of-bounds access of the dev->_tx[] array
when is_input is true. In such a case, the packet is on the RX path and
skb->queue_mapping contains the RX queue index of the ingress device. If
the ingress device has more RX queues than the egress device (dev) has
TX queues, skb_get_queue_mapping(skb) will exceed dev->num_tx_queues.
Add a check to avoid this situation since skb_get_tx_queue() does not
clamp the index. This issue has also revealed that per queue visibility
cannot be accurate and will be replaced later as a new feature.

While at it, add missing lock around qdisc_qstats_qlen_backlog(). The
function __ioam6_fill_trace_data() is called from both softirq and
process contexts, hence the use of spin_lock_bh() here.
Published: 2026-05-06
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the Linux kernel’s IOAM6 networking code allows a possible out-of-bounds array access when trace->type.bit6 is set. The code retrieves the transmit queue for a packet without clamping the index, so if the packet is on the device’s receive path and the ingress device has more receive queues than the egress device has transmit queues, the index can exceed dev->num_tx_queues and dereference dev->_tx[] out of bounds. This flaw is confined to internal kernel structures and would manifest as memory corruption or instability, though no exploit or crash behavior is explicitly documented.

Affected Systems

This issue applies to Linux kernel builds that include the IOAM6 subsystem and have not incorporated the change. No specific kernel version numbers are provided, so any kernel containing the affected code before the fix may be vulnerable. The CNA vendor list indicates Linux as the vendor.

Risk and Exploitability

The CVSS score of 9.1 reflects high severity for a kernel-level out-of-bounds access. The EPSS score is less than 1 percent, suggesting a low likelihood of exploitation at present. The vulnerability can be triggered by specially crafted network traffic that exercises the IOAM6 code path, implying a remote network attack vector. The vulnerability is not present in the CISA KEV catalog, and no public exploits have been reported as of the data provided.

Generated by OpenCVE AI on May 8, 2026 at 15:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel update that contains the CVE-2026-43083 fix
  • If immediate patching is not possible, limit the use of IOAM6 traffic or disable IOAM6 support until the update is applied
  • After applying the fix, monitor system logs for signs of memory corruption or instability to confirm that the issue is resolved

Generated by OpenCVE AI on May 8, 2026 at 15:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 13:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H'}

Thu, 07 May 2026 02:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
CWE-362

Thu, 07 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1285
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 06 May 2026 11:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
CWE-362

Wed, 06 May 2026 09:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: ioam6: fix OOB and missing lock When trace->type.bit6 is set: if (trace->type.bit6) { ... queue = skb_get_tx_queue(dev, skb); qdisc = rcu_dereference(queue->qdisc); This code can lead to an out-of-bounds access of the dev->_tx[] array when is_input is true. In such a case, the packet is on the RX path and skb->queue_mapping contains the RX queue index of the ingress device. If the ingress device has more RX queues than the egress device (dev) has TX queues, skb_get_queue_mapping(skb) will exceed dev->num_tx_queues. Add a check to avoid this situation since skb_get_tx_queue() does not clamp the index. This issue has also revealed that per queue visibility cannot be accurate and will be replaced later as a new feature. While at it, add missing lock around qdisc_qstats_qlen_backlog(). The function __ioam6_fill_trace_data() is called from both softirq and process contexts, hence the use of spin_lock_bh() here.
Title net: ioam6: fix OOB and missing lock
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:17:23.786Z

Reserved: 2026-05-01T14:12:55.983Z

Link: CVE-2026-43083

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-06T10:16:21.493

Modified: 2026-05-08T13:16:38.550

Link: CVE-2026-43083

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43083 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T15:30:05Z

Weaknesses