Description
In the Linux kernel, the following vulnerability has been resolved:

net/ipv6: ioam6: prevent schema length wraparound in trace fill

ioam6_fill_trace_data() stores the schema contribution to the trace
length in a u8. With bit 22 enabled and the largest schema payload,
sclen becomes 1 + 1020 / 4, wraps from 256 to 0, and bypasses the
remaining-space check. __ioam6_fill_trace_data() then positions the
write cursor without reserving the schema area but still copies the
4-byte schema header and the full schema payload, overrunning the trace
buffer.

Keep sclen in an unsigned int so the remaining-space check and the write
cursor calculation both see the full schema length.
Published: 2026-05-08
Score: 7.0 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A buffer overflow in the Linux kernel's ioam6 trace handling permits the schema contribution to be stored in a one‑byte field, causing a wraparound that bypasses the remaining‑space check and allows the full schema payload to be copied beyond the buffer end. Based on the description, it is inferred that this defect could lead to corruption of kernel memory and potentially arbitrary code execution on the host. The vulnerability directly affects kernel operations related to IPv6 trace data handling and is thus a kernel‑level flaw.

Affected Systems

The affected product is the Linux operating system kernel. No specific kernel version range is supplied in the data, implying that all kernels prior to the patch that introduced the overflow fix are susceptible. The vendor information lists "Linux:Linux" and the Common Platform Enumeration string references the generic Linux kernel. System administrators should treat any unpatched Linux kernel as vulnerable until further information delineates precise version bounds.

Risk and Exploitability

The CVSS score is 7.0, the EPSS metric is not available, and the vulnerability is not listed in the CISA KEV catalog, so there is a published severity score but no known exploit count. The flaw resides in a core kernel component that parses IPv6 trace data; therefore, based on the description, it is inferred that an attacker would need to be able to inject or influence such trace packets, implying a local or remote network‑based attack vector. While the lack of official exploitation evidence lowers the immediate risk, the kernel buffer overflow nature of the issue warrants prompt mitigation to prevent a potential privilege‑escalating or arbitrary‑code‑execution attack vector.

Generated by OpenCVE AI on May 9, 2026 at 03:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the ioam6 trace length wraparound fix (commit 184d2e9db27c0f76226b5cad16fe29510a5d2280).
  • If the ioam6 trace functionality is not required for your deployment, disable it by setting the appropriate sysctl or kernel configuration option to eliminate the vulnerable code path.
  • Continuously monitor kernel logs for signs of trace buffer overrun or anomalous kernel crashes, and consider implementing a block rule to filter suspicious IPv6 trace packets until a patch is applied.

Generated by OpenCVE AI on May 9, 2026 at 03:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 02:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-120

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Fri, 08 May 2026 19:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-120

Fri, 08 May 2026 14:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net/ipv6: ioam6: prevent schema length wraparound in trace fill ioam6_fill_trace_data() stores the schema contribution to the trace length in a u8. With bit 22 enabled and the largest schema payload, sclen becomes 1 + 1020 / 4, wraps from 256 to 0, and bypasses the remaining-space check. __ioam6_fill_trace_data() then positions the write cursor without reserving the schema area but still copies the 4-byte schema header and the full schema payload, overrunning the trace buffer. Keep sclen in an unsigned int so the remaining-space check and the write cursor calculation both see the full schema length.
Title net/ipv6: ioam6: prevent schema length wraparound in trace fill
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-08T13:37:19.256Z

Reserved: 2026-05-01T14:12:56.003Z

Link: CVE-2026-43341

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T14:16:44.050

Modified: 2026-05-08T14:16:44.050

Link: CVE-2026-43341

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43341 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T03:30:24Z

Weaknesses