Description
In the Linux kernel, the following vulnerability has been resolved:

ipv6: ioam: fix heap buffer overflow in __ioam6_fill_trace_data()

On the receive path, __ioam6_fill_trace_data() uses trace->nodelen
to decide how much data to write for each node. It trusts this field
as-is from the incoming packet, with no consistency check against
trace->type (the 24-bit field that tells which data items are
present). A crafted packet can set nodelen=0 while setting type bits
0-21, causing the function to write ~100 bytes past the allocated
region (into skb_shared_info), which corrupts adjacent heap memory
and leads to a kernel panic.

Add a shared helper ioam6_trace_compute_nodelen() in ioam6.c to
derive the expected nodelen from the type field, and use it:

- in ioam6_iptunnel.c (send path, existing validation) to replace
the open-coded computation;
- in exthdrs.c (receive path, ipv6_hop_ioam) to drop packets whose
nodelen is inconsistent with the type field, before any data is
written.

Per RFC 9197, bits 12-21 are each short (4-octet) fields, so they
are included in IOAM6_MASK_SHORT_FIELDS (changed from 0xff100000 to
0xff1ffc00).
Published: 2026-05-06
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel contains a heap buffer overflow in the __ioam6_fill_trace_data() routine. The function blindly trusts the nodelen field supplied in an incoming IPv6 packet’s IOAM extension header, without validating it against the type field that declares which data items are present. An attacker can craft a packet with a zero nodelen while setting type bits corresponding to data items, causing the function to write roughly 100 bytes past the allocated buffer and corrupt heap memory. This corruption can trigger a kernel panic, effectively causing a denial of service.

Affected Systems

All Linux kernel builds that have not yet incorporated the patch committing ioam6_trace_compute_nodelen() and the accompanying validation logic. The patch was applied to the mainline kernel; therefore, any system running an older kernel version before the change is affected.

Risk and Exploitability

The vulnerability can be exploited remotely by sending a malicious IPv6 packet that includes an IOAM trace header with an inconsistent nodelen/value. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog, but because the flaw results in a critical kernel crash and requires minimal specialized knowledge, the risk is considered high. An attacker who can reach the target system over the network can trigger the flaw without authentication.

Generated by OpenCVE AI on May 6, 2026 at 14:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the ioam6 trace bug fix
  • If an immediate kernel update is not possible, disable or remove IOAM tracing support from the kernel configuration and recompile the kernel
  • Filter or block incoming IPv6 packets that contain IOAM extension headers with malformed or suspicious nodelen values using firewall or network policies
  • Monitor kernel logs and crash reports to detect and respond to any unexpected kernel panics that may indicate a pending exploitation attempt

Generated by OpenCVE AI on May 6, 2026 at 14:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ipv6: ioam: fix heap buffer overflow in __ioam6_fill_trace_data() On the receive path, __ioam6_fill_trace_data() uses trace->nodelen to decide how much data to write for each node. It trusts this field as-is from the incoming packet, with no consistency check against trace->type (the 24-bit field that tells which data items are present). A crafted packet can set nodelen=0 while setting type bits 0-21, causing the function to write ~100 bytes past the allocated region (into skb_shared_info), which corrupts adjacent heap memory and leads to a kernel panic. Add a shared helper ioam6_trace_compute_nodelen() in ioam6.c to derive the expected nodelen from the type field, and use it: - in ioam6_iptunnel.c (send path, existing validation) to replace the open-coded computation; - in exthdrs.c (receive path, ipv6_hop_ioam) to drop packets whose nodelen is inconsistent with the type field, before any data is written. Per RFC 9197, bits 12-21 are each short (4-octet) fields, so they are included in IOAM6_MASK_SHORT_FIELDS (changed from 0xff100000 to 0xff1ffc00).
Title ipv6: ioam: fix heap buffer overflow in __ioam6_fill_trace_data()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-06T11:27:57.053Z

Reserved: 2026-05-01T14:12:55.991Z

Link: CVE-2026-43186

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-06T12:16:37.300

Modified: 2026-05-06T13:07:51.607

Link: CVE-2026-43186

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T16:15:06Z

Weaknesses