Skip to main content

Linux Kernel CVE-2026-43038

| EUVDEUVD-2026-26637 CRITICAL
Access of Resource Using Incompatible Type (Type Confusion) (CWE-843)
2026-05-01 Linux
9.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative
Red Hat
7.3 HIGH
qualitative

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 03, 2026 - 07:37 vuln.today
CVSS changed
May 03, 2026 - 07:22 NVD
9.8 (CRITICAL)
Patch released
May 03, 2026 - 07:16 nvd
Patch available
Patch available
May 01, 2026 - 16:33 EUVD
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26637
Analysis Generated
May 01, 2026 - 15:00 vuln.today
CVE Published
May 01, 2026 - 14:15 nvd
CRITICAL 9.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach()

Sashiko AI-review observed:

In ip6_err_gen_icmpv6_unreach(), the skb is an outer IPv4 ICMP error packet where its cb contains an IPv4 inet_skb_parm. When skb is cloned into skb2 and passed to icmp6_send(), it uses IP6CB(skb2).

IP6CB interprets the IPv4 inet_skb_parm as an inet6_skb_parm. The cipso offset in inet_skb_parm.opt directly overlaps with dsthao in inet6_skb_parm at offset 18.

If an attacker sends a forged ICMPv4 error with a CIPSO IP option, dsthao would be a non-zero offset. Inside icmp6_send(), mip6_addr_swap() is called and uses ipv6_find_tlv(skb, opt->dsthao, IPV6_TLV_HAO).

This would scan the inner, attacker-controlled IPv6 packet starting at that offset, potentially returning a fake TLV without checking if the remaining packet length can hold the full 18-byte struct ipv6_destopt_hao.

Could mip6_addr_swap() then perform a 16-byte swap that extends past the end of the packet data into skb_shared_info?

Should the cb array also be cleared in ip6_err_gen_icmpv6_unreach() and ip6ip6_err() to prevent this?

This patch implements the first suggestion.

I am not sure if ip6ip6_err() needs to be changed. A separate patch would be better anyway.

AnalysisAI

Memory corruption in Linux kernel IPv6 ICMP error handling allows remote unauthenticated attackers to potentially achieve code execution or information disclosure. The vulnerability arises from incomplete control block (CB) sanitization when converting IPv4 ICMP errors to ICMPv6, enabling forged CIPSO options in outer IPv4 packets to manipulate inner IPv6 packet parsing. This can trigger out-of-bounds memory access extending into skb_shared_info structures. Despite CVSS 9.8 critical rating, EPSS exploitation probability is extremely low (0.02%, 7th percentile), no public exploit code exists, and CISA has not listed this as actively exploited. Patches are available across all supported kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0).

Technical ContextAI

The vulnerability exists in the Linux kernel's IPv6 ICMP error generation code path, specifically in ip6_err_gen_icmpv6_unreach(). When the kernel receives an outer IPv4 ICMP error packet and needs to generate an ICMPv6 response, it clones the socket buffer (skb) without clearing the control block array. The IPv4 control block structure (inet_skb_parm) has a cipso offset field at byte 18 that directly overlaps with the dsthao (Destination Home Address Option) field in the IPv6 control block structure (inet6_skb_parm). An attacker can craft an IPv4 ICMP error packet containing a CIPSO IP option with a manipulated offset value. When this skb is cloned and passed to icmp6_send(), the mip6_addr_swap() function uses the corrupted dsthao offset to scan the attacker-controlled inner IPv6 packet via ipv6_find_tlv(). This can bypass length validation for the 18-byte ipv6_destopt_hao structure, potentially causing a 16-byte memory swap operation to read/write beyond packet boundaries into the skb_shared_info metadata structure. The fix clears the CB array during the IPv4-to-IPv6 ICMP conversion to prevent structure reinterpretation attacks.

RemediationAI

Upgrade to patched kernel versions immediately: 5.10.253+ for 5.10.x series, 5.15.203+ for 5.15.x series, 6.1.168+ for 6.1.x series, 6.6.134+ for 6.6.x series, 6.12.81+ for 6.12.x series, 6.18.22+ for 6.18.x series, 6.19.12+ for 6.19.x series, or upgrade to 7.0 mainline. Patches are available from https://git.kernel.org/stable/ with commit IDs documented in CVE references. Organizations unable to immediately patch can implement compensating controls: (1) Deploy network filtering to block or inspect IPv4 ICMP error packets containing CIPSO options (IP option type 134) at perimeter firewalls - note this may break legitimate CIPSO-based security labeling in DoD/classified environments, (2) Enable kernel hardening features like CONFIG_HARDENED_USERCOPY and CONFIG_FORTIFY_SOURCE to add runtime bounds checking that may detect exploitation attempts, (3) Restrict IPv6 ICMP functionality if not operationally required via sysctl net.ipv6.icmp.ratelimit or ip6tables rules blocking ICMPv6 type 1 (destination unreachable) - this will impair IPv6 path MTU discovery and network diagnostics. All compensating controls have operational trade-offs; patching remains the only complete mitigation.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43038 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy