Description
In the Linux kernel, the following vulnerability has been resolved:

ipv6: sit: reload inner IPv6 header after GSO offloads

ipip6_tunnel_xmit() caches the inner IPv6 header pointer at function
entry and continues using it after iptunnel_handle_offloads().

For GSO skbs, iptunnel_handle_offloads() calls skb_header_unclone().
When the skb header is cloned, skb_header_unclone() can call
pskb_expand_head(), which may move the skb head. The pskb_expand_head()
contract requires pointers into the skb header to be reloaded after the
call.

If the later skb_realloc_headroom() branch is not taken, SIT uses the
stale iph6 pointer to read the inner hop limit and DS field. That can
read from a freed skb head after the old head's remaining clone is
released.

Reload iph6 after the offload helper succeeds and before subsequent
reads from the inner IPv6 header. Keep the existing reload after
skb_realloc_headroom(), since that branch can also replace the skb.
Published: 2026-06-25
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel, the sit (IPv6 over IPv4 tunnel) implementation caches a pointer to the inner IPv6 header at the entry of ipip6_tunnel_xmit() and later relies on that same pointer after Generic Segmentation Offload (GSO) processing. During GSO, iptunnel_handle_offloads() may clone or reallocate the socket buffer header, causing the skb head to move and leaving the cached pointer stale. Subsequent code reads the hop limit and DS field from this stale pointer, potentially accessing freed memory. This misuse of a cached pointer is a classic buffer misuse flaw (CWE‑825) that can lead to an out‑of‑bounds read or kernel memory corruption, jeopardizing system integrity and possibly leaking sensitive packet data.

Affected Systems

All Linux kernel releases that still contain the unpatched sit tunnel code are affected. The flaw exists in the kernel code that has not yet incorporated the upstream patch for the commit referenced in the provided kernel patches. Distribution kernels that ship the affected code before the fix are therefore at risk. The vulnerability applies to any Linux system running a kernel version older than the patched commit.

Risk and Exploitability

The EPSS score is below 1% and the vulnerability is not listed in the CISA KEV catalog, indicating a very low probability of exploitation under current conditions. The CVSS score of 9.8 reflects a severe potential impact, including kernel memory corruption and possible data leakage. Based on the description, it is inferred that an attacker could exploit this flaw by sending specially crafted SIP tunnel traffic that triggers GSO offloading, thereby causing the stale header pointer to be used. Such an attack would likely require local or privileged access to construct the packet, and no public exploits are known at present.

Generated by OpenCVE AI on June 28, 2026 at 13:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a release that contains the upstream fix for CVE-2026-53228.
  • If an immediate kernel upgrade is not feasible, disable Generic Segmentation Offload for sit tunnels by setting the sysctl net.ipv6.neigh.disable=1 for the interface, or unload the sit module until the patch is applied.
  • Continuously monitor kernel security advisories and verify that the running kernel is the patched version before the vulnerability is publicly exploited.

Generated by OpenCVE AI on June 28, 2026 at 13:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Sun, 28 Jun 2026 11:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-590

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate


Thu, 25 Jun 2026 11:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-590

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ipv6: sit: reload inner IPv6 header after GSO offloads ipip6_tunnel_xmit() caches the inner IPv6 header pointer at function entry and continues using it after iptunnel_handle_offloads(). For GSO skbs, iptunnel_handle_offloads() calls skb_header_unclone(). When the skb header is cloned, skb_header_unclone() can call pskb_expand_head(), which may move the skb head. The pskb_expand_head() contract requires pointers into the skb header to be reloaded after the call. If the later skb_realloc_headroom() branch is not taken, SIT uses the stale iph6 pointer to read the inner hop limit and DS field. That can read from a freed skb head after the old head's remaining clone is released. Reload iph6 after the offload helper succeeds and before subsequent reads from the inner IPv6 header. Keep the existing reload after skb_realloc_headroom(), since that branch can also replace the skb.
Title ipv6: sit: reload inner IPv6 header after GSO offloads
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:40:38.747Z

Reserved: 2026-06-09T07:44:35.393Z

Link: CVE-2026-53228

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53228 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T13:30:06Z

Weaknesses
  • CWE-825

    Expired Pointer Dereference