CVE-2026-53228 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

ipv6: sit: reload inner IPv6 header after GSO offloads

ipip6_tunnel_xmit() caches the inner IPv6 header pointer at function
entry and continues using it after iptunnel_handle_offloads().

For GSO skbs, iptunnel_handle_offloads() calls skb_header_unclone().
When the skb header is cloned, skb_header_unclone() can call
pskb_expand_head(), which may move the skb head. The pskb_expand_head()
contract requires pointers into the skb header to be reloaded after the
call.

If the later skb_realloc_headroom() branch is not taken, SIT uses the
stale iph6 pointer to read the inner hop limit and DS field. That can
read from a freed skb head after the old head's remaining clone is
released.

Reload iph6 after the offload helper succeeds and before subsequent
reads from the inner IPv6 header. Keep the existing reload after
skb_realloc_headroom(), since that branch can also replace the skb.

Published: 2026-06-25

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the Linux kernel's IPv6 tunnel (sit) code where an inner IPv6 header pointer is cached at function entry and reused after generic segmentation offload (GSO) handling. During offload processing, the socket buffer header may be cloned or reallocated, invalidating the cached pointer. The stale pointer can then be used to read the hop limit and DS field from a freed memory area. This improper read could leak sensitive packet information or lead to memory corruption at the kernel level, jeopardizing system integrity.

Affected Systems

All Linux kernel releases that include the sit tunnel code and have not incorporated the upstream fix are affected. The vulnerability applies broadly to Linux kernels running any version before the patch commit referenced in the provided kernel patches.

Risk and Exploitability

The EPSS score is unavailable not currently listed in CISA's KEV catalog, indicating no active exploitation reports. Nevertheless, the flaw could be exploitable by a privileged local attacker who can construct a tunnel packet that triggers GSO processing. The risk level is moderate: while the vulnerability may lead to data leakage or memory corruption, it requires specific conditions and is not immediately widely exploitable. No public exploits are known at this time.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`14909664e4e192f4c6f6fcdccd9919af7cf783ab`	affected	< fddd41445a0537b093e6b3f6232c9933cad1e48b
`14909664e4e192f4c6f6fcdccd9919af7cf783ab`	affected	< 1132e5edc2866c3530be17622153a597095f0e43
`14909664e4e192f4c6f6fcdccd9919af7cf783ab`	affected	< 9c67b44edb3598d234efae6e44649eb993c03da5
`14909664e4e192f4c6f6fcdccd9919af7cf783ab`	affected	< 0bfa7bba1f41aaf5f0604dc712bb4701493e3aa0
`14909664e4e192f4c6f6fcdccd9919af7cf783ab`	affected	< 59f80c919713250fe5d25a4d9aea4e49580fa1d4
`14909664e4e192f4c6f6fcdccd9919af7cf783ab`	affected	< 2fa49b2715e1bad12ce3b0fa64e234d9582c8193
`14909664e4e192f4c6f6fcdccd9919af7cf783ab`	affected	< cb658c2f5f7977c2a1c77c9f239f4bc8196edb5c
`14909664e4e192f4c6f6fcdccd9919af7cf783ab`	affected	< f0e42f0c4337b1f220de1ddd63f47197c7dee4de

Linux

affected

Version	Status	Constraints
`3.18`	affected	—
`0`	unaffected	< 3.18
`5.10.259`	unaffected	≤ 5.10.*
`5.15.210`	unaffected	≤ 5.15.*
`6.1.176`	unaffected	≤ 6.1.*
`6.6.143`	unaffected	≤ 6.6.*
`6.12.94`	unaffected	≤ 6.12.*
`6.18.36`	unaffected	≤ 6.18.*
`7.0.13`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a release that includes the fix for CVE-2026-53228.
If an immediate kernel upgrade cannot be performed, disable Generic Segmentation Offload for sit tunnels or unload the sit module until the patch is applied.
Continuously monitor kernel security advisories for additional updates and verify the running kernel version corresponds to a patched state.

Generated by OpenCVE AI on June 25, 2026 at 11:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0bfa7bba1f41aaf5f0604dc712bb4701493e3aa0
https://git.kernel.org/stable/c/1132e5edc2866c3530be17622153a597095f0e43
https://git.kernel.org/stable/c/2fa49b2715e1bad12ce3b0fa64e234d9582c8193
https://git.kernel.org/stable/c/59f80c919713250fe5d25a4d9aea4e49580fa1d4
https://git.kernel.org/stable/c/9c67b44edb3598d234efae6e44649eb993c03da5
https://git.kernel.org/stable/c/cb658c2f5f7977c2a1c77c9f239f4bc8196edb5c
https://git.kernel.org/stable/c/f0e42f0c4337b1f220de1ddd63f47197c7dee4de
https://git.kernel.org/stable/c/fddd41445a0537b093e6b3f6232c9933cad1e48b

History

Thu, 25 Jun 2026 11:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-590

Thu, 25 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ipv6: sit: reload inner IPv6 header after GSO offloads ipip6_tunnel_xmit() caches the inner IPv6 header pointer at function entry and continues using it after iptunnel_handle_offloads(). For GSO skbs, iptunnel_handle_offloads() calls skb_header_unclone(). When the skb header is cloned, skb_header_unclone() can call pskb_expand_head(), which may move the skb head. The pskb_expand_head() contract requires pointers into the skb header to be reloaded after the call. If the later skb_realloc_headroom() branch is not taken, SIT uses the stale iph6 pointer to read the inner hop limit and DS field. That can read from a freed skb head after the old head's remaining clone is released. Reload iph6 after the offload helper succeeds and before subsequent reads from the inner IPv6 header. Keep the existing reload after skb_realloc_headroom(), since that branch can also replace the skb.
Title		ipv6: sit: reload inner IPv6 header after GSO offloads
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0bfa7bba1f41aaf5f0604dc712bb4701493e3aa0 https://git.kernel.org/stable/c/1132e5edc2866c3530be17622153a597095f0e43 https://git.kernel.org/stable/c/2fa49b2715e1bad12ce3b0fa64e234d9582c8193 https://git.kernel.org/stable/c/59f80c919713250fe5d25a4d9aea4e49580fa1d4 https://git.kernel.org/stable/c/9c67b44edb3598d234efae6e44649eb993c03da5 https://git.kernel.org/stable/c/cb658c2f5f7977c2a1c77c9f239f4bc8196edb5c https://git.kernel.org/stable/c/f0e42f0c4337b1f220de1ddd63f47197c7dee4de https://git.kernel.org/stable/c/fddd41445a0537b093e6b3f6232c9933cad1e48b

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-25T08:39:27.893Z

Updated: 2026-06-25T08:39:27.893Z

Reserved: 2026-06-09T07:44:35.393Z

Link: CVE-2026-53228

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-25T11:30:06Z

Weaknesses

CWE-590
Free of Memory not on the Heap

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object