Description
In the Linux kernel, the following vulnerability has been resolved:

6lowpan: fix off-by-one in multicast context address compression

The second memcpy in lowpan_iphc_mcast_ctx_addr_compress() uses
&data[1] as destination and &ipaddr->s6_addr[11] as source, but
both should be offset by one: &data[2] and &ipaddr->s6_addr[12]
respectively.

This off-by-one has two consequences:
1. data[1] is overwritten with s6_addr[11], corrupting the RIID
field in the compressed multicast address
2. data[5] is never written, so uninitialized kernel stack memory
is transmitted over the network via lowpan_push_hc_data(),
leaking kernel stack contents

The correct inline data layout must match what the decompression
function lowpan_uncompress_multicast_ctx_daddr() expects:
data[0..1] = s6_addr[1..2] (flags/scope + RIID)
data[2..5] = s6_addr[12..15] (group ID)

Also zero-initialize the data array as a defensive measure against
similar bugs in the future.
Published: 2026-06-25
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel, an off‑by‑one error in the 6lowpan multicast context address compression logic incorrectly copies memory, corrupting the RIID field and leaving a 4‑byte region of uninitialized kernel stack data in the compressed packet. When that packet is transmitted, the uninitialized bytes are exposed to any observer on the network, allowing an attacker to read portions of the kernel stack and potentially extract sensitive information. The vulnerability is a classic case of an off‑by‑one bug leading to information disclosure.

Affected Systems

All Linux kernel builds prior to the application of the patch commit (06ce6fc1…) that includes the lowpan_iphc_mcast_ctx_addr_compress fix. The bug affects the 6lowpan multicast traffic is potentially impacted.

Risk and Exploitability

The CVSS score is not available, and the EPSS is not disclosed, but the risk can be reasoned from the description: an attacker must craft a lowpan multicast packet and observe it on the network. No public exploit is known, and the vulnerability is limited to the transmission of kernel data rather than providing full remote code execution. However, the possibility of leaking kernel stack contents can aid in further attacks and, therefore, should be addressed promptly. The bug is not listed in the CISA impact warrants a high priority response for exposed systems.

Generated by OpenCVE AI on June 25, 2026 at 12:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version containing the commit 06ce6fc106b16dec9b535950db626261be865e5b, or apply the patch manually from the provided kernel sources. This replaces the incorrect memcpy offsets with the correct &data[2] and &ipaddr->s6_addr[12] and zero‑initializes the data array to prevent future leaks.
  • If an immediate kernel upgrade is not possible, disable or block 6lowpan multicast interfaces on all affected hosts until the patch is deployed, thereby preventing the erroneous data from being transmitted over the network. This can be achieved by unbinding the 6lowpan driver or configuring firewall rules to drop multicast traffic.
  • Set up network traffic monitoring for lowpan multicast packets and alert on suspicious patterns that could indicate leakage until the patch is applied.

Generated by OpenCVE AI on June 25, 2026 at 12:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-170

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: 6lowpan: fix off-by-one in multicast context address compression The second memcpy in lowpan_iphc_mcast_ctx_addr_compress() uses &data[1] as destination and &ipaddr->s6_addr[11] as source, but both should be offset by one: &data[2] and &ipaddr->s6_addr[12] respectively. This off-by-one has two consequences: 1. data[1] is overwritten with s6_addr[11], corrupting the RIID field in the compressed multicast address 2. data[5] is never written, so uninitialized kernel stack memory is transmitted over the network via lowpan_push_hc_data(), leaking kernel stack contents The correct inline data layout must match what the decompression function lowpan_uncompress_multicast_ctx_daddr() expects: data[0..1] = s6_addr[1..2] (flags/scope + RIID) data[2..5] = s6_addr[12..15] (group ID) Also zero-initialize the data array as a defensive measure against similar bugs in the future.
Title 6lowpan: fix off-by-one in multicast context address compression
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:39:51.215Z

Reserved: 2026-06-09T07:44:35.394Z

Link: CVE-2026-53263

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T12:15:03Z

Weaknesses
  • CWE-119

    Improper Restriction of Operations within the Bounds of a Memory Buffer

  • CWE-170

    Improper Null Termination