Description
In the Linux kernel, the following vulnerability has been resolved:

ipv6: rpl: reserve mac_len headroom when recompressed SRH grows

ipv6_rpl_srh_rcv() decompresses an RFC 6554 Source Routing Header, swaps
the next segment into ipv6_hdr->daddr, recompresses, then pulls the old
header and pushes the new one plus the IPv6 header back. The
recompressed header can be larger than the received one when the swap
reduces the common-prefix length the segments share with daddr (CmprI=0,
CmprE>0, seg[0][0] != daddr[0] gives the maximum +8 bytes).

pskb_expand_head() was gated on segments_left == 0, so on earlier
segments the push consumed unchecked headroom. Once skb_push() leaves
fewer than skb->mac_len bytes in front of data,
skb_mac_header_rebuild()'s call to:

skb_set_mac_header(skb, -skb->mac_len);

will store (data - head) - mac_len into the u16 mac_header field, which
wraps to ~65530, and the following memmove() writes mac_len bytes ~64KiB
past skb->head.

A single AF_INET6/SOCK_RAW/IPV6_HDRINCL packet over lo with a two
segment type-3 SRH (CmprI=0, CmprE=15) reaches headroom 8 after one
pass; KASAN reports a 14-byte OOB write in ipv6_rthdr_rcv.

Fix this by expanding the head whenever the remaining room is less than
the push size plus mac_len, and request that much extra so the rebuilt
MAC header fits afterwards.
Published: 2026-05-21
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The CVE involves the ipv6_rpl_srh_rcv function when decompressing a Source Routing Header (SRH). When the recompressed SRH is larger than the original, the code uses skb_push to consume unchecked headroom, resulting in a negative mac_header offset. This causes a 64 KiB out‑of‑bounds write to the packet buffer, as detected by KASAN. An attacker who can send a specially crafted IPv6 packet that forces the recompression to grow can leverage this flaw to corrupt memory, potentially gaining code execution on the affected system.

Affected Systems

This flaw exists in the Linux kernel; no specific kernel versions are identified in the data. All distributions that ship the unpatched kernel should be considered affected until a build incorporating the fix is released.

Risk and Exploitability

The CVE is not listed in KEV, and no EPSS score is available, so the likelihood of exploitation is currently unknown. However, the vulnerability requires local ability to inject an IPv6 packet with a SRH into the system, which is typically an attacker with privileged network access or a local compromised process. The OOB write could lead to a kernel panic or more serious exploitation if the attacker can execute code in kernel mode. The impact is high because kernel corruption can lead to full system compromise. The attack vector is inferred to be local or via a compromised user capable of sending raw IPv6 packets.

Generated by OpenCVE AI on May 21, 2026 at 13:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a release that includes the fix that expands headroom before recompressing the SRH.
  • If an update cannot be performed immediately, block raw IPv6 traffic by configuring ip6tables or disabling the IPv6 module: sysctl net.ipv6.conf.all.disable_ipv6=1.
  • Monitor kernel logs for KASAN or out‑of‑bounds warnings to detect attempts to exploit the issue.

Generated by OpenCVE AI on May 21, 2026 at 13:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 13:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Thu, 21 May 2026 12:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ipv6: rpl: reserve mac_len headroom when recompressed SRH grows ipv6_rpl_srh_rcv() decompresses an RFC 6554 Source Routing Header, swaps the next segment into ipv6_hdr->daddr, recompresses, then pulls the old header and pushes the new one plus the IPv6 header back. The recompressed header can be larger than the received one when the swap reduces the common-prefix length the segments share with daddr (CmprI=0, CmprE>0, seg[0][0] != daddr[0] gives the maximum +8 bytes). pskb_expand_head() was gated on segments_left == 0, so on earlier segments the push consumed unchecked headroom. Once skb_push() leaves fewer than skb->mac_len bytes in front of data, skb_mac_header_rebuild()'s call to: skb_set_mac_header(skb, -skb->mac_len); will store (data - head) - mac_len into the u16 mac_header field, which wraps to ~65530, and the following memmove() writes mac_len bytes ~64KiB past skb->head. A single AF_INET6/SOCK_RAW/IPV6_HDRINCL packet over lo with a two segment type-3 SRH (CmprI=0, CmprE=15) reaches headroom 8 after one pass; KASAN reports a 14-byte OOB write in ipv6_rthdr_rcv. Fix this by expanding the head whenever the remaining room is less than the push size plus mac_len, and request that much extra so the rebuilt MAC header fits afterwards.
Title ipv6: rpl: reserve mac_len headroom when recompressed SRH grows
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-21T12:17:49.885Z

Reserved: 2026-05-01T14:12:56.014Z

Link: CVE-2026-43501

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-21T13:16:19.410

Modified: 2026-05-21T13:16:19.410

Link: CVE-2026-43501

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T13:45:11Z

Weaknesses