Skip to main content

Linux Kernel CVE-2026-43037

| EUVDEUVD-2026-26636 CRITICAL
Out-of-bounds Write (CWE-787)
2026-05-01 Linux
9.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative
Red Hat
7.0 HIGH
qualitative

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Patch released
May 04, 2026 - 18:26 nvd
Patch available
Analysis Generated
May 03, 2026 - 07:37 vuln.today
CVSS changed
May 03, 2026 - 07:22 NVD
9.8 (CRITICAL)
Patch available
May 01, 2026 - 16:33 EUVD
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26636
Analysis Generated
May 01, 2026 - 15:00 vuln.today
CVE Published
May 01, 2026 - 14:15 nvd
CRITICAL 9.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ip6_tunnel: clear skb2->cb[] in ip4ip6_err()

Oskar Kjos reported the following problem.

ip4ip6_err() calls icmp_send() on a cloned skb whose cb[] was written by the IPv6 receive path as struct inet6_skb_parm. icmp_send() passes IPCB(skb2) to __ip_options_echo(), which interprets that cb[] region as struct inet_skb_parm (IPv4). The layouts differ: inet6_skb_parm.nhoff at offset 14 overlaps inet_skb_parm.opt.rr, producing a non-zero rr value. __ip_options_echo() then reads optlen from attacker-controlled packet data at sptr[rr+1] and copies that many bytes into dopt->__data, a fixed 40-byte stack buffer (IP_OPTIONS_DATA_FIXED_SIZE).

To fix this we clear skb2->cb[], as suggested by Oskar Kjos.

Also add minimal IPv4 header validation (version == 4, ihl >= 5).

AnalysisAI

A stack-based buffer overflow in the Linux kernel's IPv6-to-IPv4 tunneling (ip6_tunnel) code allows remote unauthenticated attackers to achieve arbitrary code execution. The vulnerability occurs when ip4ip6_err() passes a cloned skb with IPv6-formatted control buffer data to icmp_send(), which misinterprets it as IPv4 control buffer data. This type confusion causes __ip_options_echo() to read attacker-controlled packet data as a length value and copy up to that many bytes into a fixed 40-byte stack buffer, enabling remote exploitation with no prerequisites. EPSS score of 0.02% suggests limited exploitation probability despite critical CVSS 9.8 rating. Vendor-released patches are available across all maintained kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0).

Technical ContextAI

The vulnerability resides in the IPv6 tunneling subsystem's error handling path, specifically the ip4ip6_err() function that processes ICMP errors for IPv4-over-IPv6 encapsulated packets. The Linux kernel uses a shared socket buffer control block (skb->cb[]) to store protocol-specific metadata, but different network layer protocols use incompatible struct layouts: IPv6 stores inet6_skb_parm while IPv4 expects inet_skb_parm. When ip4ip6_err() clones a packet and passes it to icmp_send() without clearing the control buffer, icmp_send() interprets the IPv6 metadata as IPv4 metadata. Critically, inet6_skb_parm.nhoff at byte offset 14 overlaps with inet_skb_parm.opt.rr (record route pointer). A non-zero value at this offset causes __ip_options_echo() to treat it as a valid record route offset, reading an attacker-controlled optlen value from the packet payload and copying that many bytes into a 40-byte fixed stack buffer (IP_OPTIONS_DATA_FIXED_SIZE). This represents a classic type confusion vulnerability enabling controlled stack corruption. The affected code path has existed since commit c4d3efafcc93 introduced in kernel 2.6.22 (circa 2007), affecting nearly two decades of kernel releases.

RemediationAI

Upgrade to patched kernel versions: 7.0 or later for mainline, 6.19.12+ for 6.19.x branch, 6.18.22+ for 6.18.x, 6.12.81+ for 6.12.x, 6.6.134+ for 6.6.x LTS, 6.1.168+ for 6.1.x LTS, 5.15.203+ for 5.15.x LTS, or 5.10.253+ for 5.10.x LTS. Patches available at https://git.kernel.org/stable/c/2edfa31769a4add828a7e604b21cb82aaaa05925 (mainline) and corresponding stable branch commits. Organizations unable to immediately patch can implement compensating controls: disable IPv6 tunneling modules (ip6_tunnel, sit) if not operationally required using 'modprobe -r ip6_tunnel sit' and blacklisting in /etc/modprobe.d/, though this breaks legitimate IPv6-over-IPv4 functionality. For systems requiring IPv6 tunnels, restrict tunnel endpoint access to trusted networks via iptables/nftables rules blocking IPv6 ICMP packets from untrusted sources, though this may impact legitimate network diagnostics and Path MTU Discovery. Note that disabling IPv6 entirely does not mitigate the issue as the vulnerable code path processes IPv4-in-IPv6 encapsulation. Firewall-based mitigations have limited effectiveness since the vulnerability triggers during ICMP error processing of existing tunnel sessions. Prioritize kernel patching over workarounds given the network-accessible attack surface.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43037 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy