Description
In the Linux kernel, the following vulnerability has been resolved:

ipv6: fix possible UAF in icmpv6_rcv()

Caching saddr and daddr before pskb_pull() is problematic
since skb->head can change.

Remove these temporary variables:

- We only access &ipv6_hdr(skb)->saddr and &ipv6_hdr(skb)->daddr
when net_dbg_ratelimited() is called in the slow path.

- Avoid potential future misuse after pskb_pull() call.
Published: 2026-06-24
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A potential use‑after‑free (UAF) vulnerability was discovered in the Linux kernel’s IPv6 handling, specifically within the icmpv6_rcv() function. The flaw arises when source and destination addresses are cached before the pskb_pull() operation, which can relocate skb->head and lead to a dangling pointer. If an attacker can trigger the incorrect inference, they could corrupt kernel memory or gain arbitrary code execution on the host, thereby compromising system integrity and enabling privilege escalation.

Affected Systems

All Linux kernel implementations that include the standard IPv6 stack, as the fix is part of the Linux kernel repository. The vulnerability applies to any kernel version prior to the commit that removed the temporary variables; no specific affected revision list is supplied.

Risk and Exploitability

it is inferred that a network‑based attack via crafted ICMPv6 packets can exploit the UAF. This use‑after‑free flaw can corrupt kernel memory or enable code execution with kernel privileges. The CVSS score of 9.8 indicates high severity for the flaw. The EPSS score is less than 1 very low but nonzero exploitation probability. The vulnerability is not listed in CISA’s KEV catalog, so no additional mitigation is known. An attacker who successfully exploits the flaw could gain arbitrary code execution, potentially compromising or disabling the affected system.

Generated by OpenCVE AI on June 28, 2026 at 13:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the commit removing temporary variables in icmpv6_rcv()
  • If a direct kernel upgrade is unavailable, apply the upstream patch or distribution‑backported fix once it becomes available
  • Apply network filtering or firewall rules to limit or block unwanted ICMPv6 traffic from untrusted sources as a temporary protective measure

Generated by OpenCVE AI on June 28, 2026 at 13:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Fri, 26 Jun 2026 03:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important


Wed, 24 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ipv6: fix possible UAF in icmpv6_rcv() Caching saddr and daddr before pskb_pull() is problematic since skb->head can change. Remove these temporary variables: - We only access &ipv6_hdr(skb)->saddr and &ipv6_hdr(skb)->daddr when net_dbg_ratelimited() is called in the slow path. - Avoid potential future misuse after pskb_pull() call.
Title ipv6: fix possible UAF in icmpv6_rcv()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-07-15T00:45:21.921Z

Reserved: 2026-06-09T07:44:35.377Z

Link: CVE-2026-53006

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-53006 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T13:45:06Z

Weaknesses
  • CWE-825

    Expired Pointer Dereference