CVE-2026-46037 - Vulnerability Details

- ipv4: icmp: validate reply type before using icmp_pointers

Description

In the Linux kernel, the following vulnerability has been resolved:

ipv4: icmp: validate reply type before using icmp_pointers

Extended echo replies use ICMP_EXT_ECHOREPLY as the outbound reply type.
That value is outside the range covered by icmp_pointers[], which only
describes the traditional ICMP types up to NR_ICMP_TYPES.

Avoid consulting icmp_pointers[] for reply types outside that range, and
use array_index_nospec() for the remaining in-range lookup. Normal ICMP
replies keep their existing behavior unchanged.

Published: 2026-05-27

Score: 8.2 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel contains a flaw that causes ICMP extended echo reply packets to be processed without first verifying the packet’s type. Because the ICMP extension type is greater than the range handled by the icmp_pointers array, the code may look up outside that array bounds. This can lead to an out‑of‑bounds memory access that may expose kernel memory contents or overwrite pointers, potentially allowing an attacker to gain kernel execution or cause a crash. The weakness corresponds to an unvalidated array index situation.

Affected Systems

All Linux kernels running the unpatched code before the commit that added validation are affected. The vulnerability is present in the mainline kernel until the fix is merged; administrators should verify that their kernel version includes the patch referenced in the provided commit links. Exact version ranges are not specified in the data.

Risk and Exploitability

The EPSS score is < 1% and the vulnerability is not listed in CISA’s KEV catalog, so its current exploitation probability is low. However, the likely attack vector is by sending crafted ICMP extended echo reply packets from an external host, inferred from the nature of the vulnerability. The CVSS score of 8.2 indicates high severity, meaning that while the flaw is serious, it still may not be widely exploited but poses a strong risk that could compromise system integrity if exploited.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`d329ea5bd8845f0b196bf41b18b6173340d6e0e4`	affected	< b3a88fc5ae024d43c5ecf653f3bbe837e4a6dc99
`d329ea5bd8845f0b196bf41b18b6173340d6e0e4`	affected	< 93df2af4f491de33827550b9d420f01808c0706b
`d329ea5bd8845f0b196bf41b18b6173340d6e0e4`	affected	< 92e7c209036dcc0e8ffdf806fdfd3645b263bea5
`d329ea5bd8845f0b196bf41b18b6173340d6e0e4`	affected	< bc64a66e0b9ad937d3d49934242ee62b01ba9a94
`d329ea5bd8845f0b196bf41b18b6173340d6e0e4`	affected	< c2178ff1c70ebfc2ab9651b230c58a34683db759
`d329ea5bd8845f0b196bf41b18b6173340d6e0e4`	affected	< d700c34a5d186b9ba0715bcb19e0ff80ffbfbfc1
`d329ea5bd8845f0b196bf41b18b6173340d6e0e4`	affected	< 67bf002a2d7387a6312138210d0bd06e3cf4879b

Linux

affected

Version	Status	Constraints
`5.13`	affected	—
`0`	unaffected	< 5.13
`5.15.209`	unaffected	≤ 5.15.*
`6.1.175`	unaffected	≤ 6.1.*
`6.6.140`	unaffected	≤ 6.6.*
`6.12.86`	unaffected	≤ 6.12.*
`6.18.27`	unaffected	≤ 6.18.*
`7.0.4`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[d329ea5bd8845f0b196bf41b18b6173340d6e0e4,92e7c209036dcc0e8ffdf806fdfd3645b263bea5)`	affected	code_commit	—
`[d329ea5bd8845f0b196bf41b18b6173340d6e0e4,bc64a66e0b9ad937d3d49934242ee62b01ba9a94)`	affected	code_commit	—
`[d329ea5bd8845f0b196bf41b18b6173340d6e0e4,c2178ff1c70ebfc2ab9651b230c58a34683db759)`	affected	code_commit	—
`[d329ea5bd8845f0b196bf41b18b6173340d6e0e4,d700c34a5d186b9ba0715bcb19e0ff80ffbfbfc1)`	affected	code_commit	—
`[d329ea5bd8845f0b196bf41b18b6173340d6e0e4,67bf002a2d7387a6312138210d0bd06e3cf4879b)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.13`	affected	semver	—
`[0,5.13)`	unaffected	semver	—
`[6.6.140,6.7.0)`	unaffected	semver	—
`[6.12.86,6.13.0)`	unaffected	semver	—
`[6.18.27,6.19.0)`	unaffected	semver	—
`[7.0.4,7.1.0)`	unaffected	semver	—
`[7.1-rc1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the kernel patch that adds validation for ICMP_EXT_ECHOREPLY types, updating the kernel to the latest stable release that contains the commit referenced in the advisory.
If patching cannot be performed immediately, restrict inbound ICMP traffic by configuring a firewall rule that drops or limits ICMP_EXT_ECHOREPLY packets from untrusted sources.
Enable kernel hardening features such as CONFIG_RESTRICTED_KERNEL or SELinux to reduce the impact of any remaining memory corruption.

Generated by OpenCVE AI on May 30, 2026 at 14:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00439.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/67bf002a2d7387a6312138210d0bd06e3cf4879b
https://git.kernel.org/stable/c/92e7c209036dcc0e8ffdf806fdfd3645b263bea5
https://git.kernel.org/stable/c/93df2af4f491de33827550b9d420f01808c0706b
https://git.kernel.org/stable/c/b3a88fc5ae024d43c5ecf653f3bbe837e4a6dc99
https://git.kernel.org/stable/c/bc64a66e0b9ad937d3d49934242ee62b01ba9a94
https://git.kernel.org/stable/c/c2178ff1c70ebfc2ab9651b230c58a34683db759
https://git.kernel.org/stable/c/d700c34a5d186b9ba0715bcb19e0ff80ffbfbfc1
https://lore.kernel.org/linux-cve-announce/2026052750-CVE-2026-46037-aa9f@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-46037
https://www.cve.org/CVERecord?id=CVE-2026-46037

History

Tue, 16 Jun 2026 15:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo

Mon, 01 Jun 2026 17:00:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/93df2af4f491de33827550b9d420f01808c0706b https://git.kernel.org/stable/c/b3a88fc5ae024d43c5ecf653f3bbe837e4a6dc99

Sat, 30 May 2026 13:45:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-125

Sat, 30 May 2026 11:00:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`	cvssV3_1 `{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H'}`

Thu, 28 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-1285
References		https://lore.kernel.org/linux-cve-announce/2026052750-CVE-2026-46037-aa9f@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-46037 https://www.cve.org/CVERecord?id=CVE-2026-46037
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Wed, 27 May 2026 18:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-125

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ipv4: icmp: validate reply type before using icmp_pointers Extended echo replies use ICMP_EXT_ECHOREPLY as the outbound reply type. That value is outside the range covered by icmp_pointers[], which only describes the traditional ICMP types up to NR_ICMP_TYPES. Avoid consulting icmp_pointers[] for reply types outside that range, and use array_index_nospec() for the remaining in-range lookup. Normal ICMP replies keep their existing behavior unchanged.
Title		ipv4: icmp: validate reply type before using icmp_pointers
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/67bf002a2d7387a6312138210d0bd06e3cf4879b https://git.kernel.org/stable/c/92e7c209036dcc0e8ffdf806fdfd3645b263bea5 https://git.kernel.org/stable/c/bc64a66e0b9ad937d3d49934242ee62b01ba9a94 https://git.kernel.org/stable/c/c2178ff1c70ebfc2ab9651b230c58a34683db759 https://git.kernel.org/stable/c/d700c34a5d186b9ba0715bcb19e0ff80ffbfbfc1

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:56:47.795Z

Updated: 2026-06-14T17:49:43.163Z

Reserved: 2026-05-13T15:03:33.093Z

Link: CVE-2026-46037

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-27T14:17:23.027

Modified: 2026-06-16T15:17:15.703

Link: CVE-2026-46037

Redhat

Severity : Moderate

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-46037 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-30T14:45:25Z

Weaknesses

CWE-1285
Improper Validation of Specified Index, Position, or Offset in Input
NVD-CWE-noinfo

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object