Description
In the Linux kernel, the following vulnerability has been resolved:

ipv6: rpl: reserve mac_len headroom when recompressed SRH grows

ipv6_rpl_srh_rcv() decompresses an RFC 6554 Source Routing Header, swaps
the next segment into ipv6_hdr->daddr, recompresses, then pulls the old
header and pushes the new one plus the IPv6 header back. The
recompressed header can be larger than the received one when the swap
reduces the common-prefix length the segments share with daddr (CmprI=0,
CmprE>0, seg[0][0] != daddr[0] gives the maximum +8 bytes).

pskb_expand_head() was gated on segments_left == 0, so on earlier
segments the push consumed unchecked headroom. Once skb_push() leaves
fewer than skb->mac_len bytes in front of data,
skb_mac_header_rebuild()'s call to:

skb_set_mac_header(skb, -skb->mac_len);

will store (data - head) - mac_len into the u16 mac_header field, which
wraps to ~65530, and the following memmove() writes mac_len bytes ~64KiB
past skb->head.

A single AF_INET6/SOCK_RAW/IPV6_HDRINCL packet over lo with a two
segment type-3 SRH (CmprI=0, CmprE=15) reaches headroom 8 after one
pass; KASAN reports a 14-byte OOB write in ipv6_rthdr_rcv.

Fix this by expanding the head whenever the remaining room is less than
the push size plus mac_len, and request that much extra so the rebuilt
MAC header fits afterwards.
Published: 2026-05-21
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The CVE involves the ipv6_rpl_srh_rcv function when decompressing a Source Routing Header (SRH). When the recompressed SRH is larger than the original, the code uses skb_push to consume unchecked headroom, which produces a negative mac_header offset. This results in a 64 KiB out‑of‑bounds write to the packet buffer, as detected by KASAN. The flaw is a classic buffer overrun and also allows integer underflow leading to miscalculated headroom (CWE-131). Based on the description, it is inferred that an attacker can send a specially crafted IPv6 packet that forces the recompression to grow, thereby leveraging this flaw to corrupt memory and potentially gain code execution on the affected system.

Affected Systems

This flaw exists in the Linux kernel; all Linux distributions shipping an unpatched kernel version are potentially affected until a build incorporating the fix is released.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical severity. The EPSS score of < 1% suggests a very low probability of exploitation, and the CVE is not listed in KEV. The vulnerability requires local or privileged ability to inject a crafted IPv6 packet with a SRH, typically via raw IPv6 traffic on the loopback or a compromised process with network privileges. The out‑of‑bounds write could lead to a kernel panic or, if an attacker obtains kernel mode code execution, full system compromise. Based on the description, the likely attack vector is local or via a user capable of sending raw IPv6 packets.

Generated by OpenCVE AI on May 30, 2026 at 16:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a release that includes the fix that expands headroom before recompressing the SRH.
  • If an update cannot be performed immediately, block raw IPv6 traffic by configuring ip6tables or disabling the IPv6 module: sysctl net.ipv6.conf.all.disable_ipv6=1.
  • Monitor kernel logs for KASAN or out‑of‑bounds warnings to detect attempts to exploit the issue.

Generated by OpenCVE AI on May 30, 2026 at 16:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
References

Sat, 30 May 2026 14:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Sat, 30 May 2026 11:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 22 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-131
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Thu, 21 May 2026 13:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Thu, 21 May 2026 12:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ipv6: rpl: reserve mac_len headroom when recompressed SRH grows ipv6_rpl_srh_rcv() decompresses an RFC 6554 Source Routing Header, swaps the next segment into ipv6_hdr->daddr, recompresses, then pulls the old header and pushes the new one plus the IPv6 header back. The recompressed header can be larger than the received one when the swap reduces the common-prefix length the segments share with daddr (CmprI=0, CmprE>0, seg[0][0] != daddr[0] gives the maximum +8 bytes). pskb_expand_head() was gated on segments_left == 0, so on earlier segments the push consumed unchecked headroom. Once skb_push() leaves fewer than skb->mac_len bytes in front of data, skb_mac_header_rebuild()'s call to: skb_set_mac_header(skb, -skb->mac_len); will store (data - head) - mac_len into the u16 mac_header field, which wraps to ~65530, and the following memmove() writes mac_len bytes ~64KiB past skb->head. A single AF_INET6/SOCK_RAW/IPV6_HDRINCL packet over lo with a two segment type-3 SRH (CmprI=0, CmprE=15) reaches headroom 8 after one pass; KASAN reports a 14-byte OOB write in ipv6_rthdr_rcv. Fix this by expanding the head whenever the remaining room is less than the push size plus mac_len, and request that much extra so the rebuilt MAC header fits afterwards.
Title ipv6: rpl: reserve mac_len headroom when recompressed SRH grows
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-01T16:16:09.311Z

Reserved: 2026-05-01T14:12:56.014Z

Link: CVE-2026-43501

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-21T13:16:19.410

Modified: 2026-06-01T17:17:07.350

Link: CVE-2026-43501

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-21T00:00:00Z

Links: CVE-2026-43501 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T16:30:27Z

Weaknesses
  • CWE-131

    Incorrect Calculation of Buffer Size