Skip to main content

Linux Kernel CVE-2026-43080

| EUVDEUVD-2026-27571 MEDIUM
Uncontrolled Recursion (CWE-674)
2026-05-06 Linux GHSA-pmcg-f5m4-2gwp
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 01, 2026 - 19:46 vuln.today
CVSS changed
Jun 01, 2026 - 17:37 NVD
5.5 (MEDIUM)
Patch available
May 06, 2026 - 11:31 EUVD
CVE Published
May 06, 2026 - 07:40 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

l2tp: Drop large packets with UDP encap

syzbot reported a WARN on my patch series [1]. The actual issue is an overflow of 16-bit UDP length field, and it exists in the upstream code. My series added a debug WARN with an overflow check that exposed the issue, that's why syzbot tripped on my patches, rather than on upstream code.

syzbot's repro:

r0 = socket$pppl2tp(0x18, 0x1, 0x1) r1 = socket$inet6_udp(0xa, 0x2, 0x0) connect$inet6(r1, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback, 0xfffffffc}, 0x1c) connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32) writev(r0, &(0x7f0000000080)=[{&(0x7f0000000000)="ee", 0x34000}], 0x1)

It basically sends an oversized (0x34000 bytes) PPPoL2TP packet with UDP encapsulation, and l2tp_xmit_core doesn't check for overflows when it assigns the UDP length field. The value gets trimmed to 16 bites.

Add an overflow check that drops oversized packets and avoids sending packets with trimmed UDP length to the wire.

syzbot's stack trace (with my patch applied):

len >= 65536u WARNING: ./include/linux/udp.h:38 at udp_set_len_short include/linux/udp.h:38 [inline], CPU#1: syz.0.17/5957 WARNING: ./include/linux/udp.h:38 at l2tp_xmit_core net/l2tp/l2tp_core.c:1293 [inline], CPU#1: syz.0.17/5957 WARNING: ./include/linux/udp.h:38 at l2tp_xmit_skb+0x1204/0x18d0 net/l2tp/l2tp_core.c:1327, CPU#1: syz.0.17/5957 Modules linked in: CPU: 1 UID: 0 PID: 5957 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 RIP: 0010:udp_set_len_short include/linux/udp.h:38 [inline] RIP: 0010:l2tp_xmit_core net/l2tp/l2tp_core.c:1293 [inline] RIP: 0010:l2tp_xmit_skb+0x1204/0x18d0 net/l2tp/l2tp_core.c:1327 Code: 0f 0b 90 e9 21 f9 ff ff e8 e9 05 ec f6 90 0f 0b 90 e9 8d f9 ff ff e8 db 05 ec f6 90 0f 0b 90 e9 cc f9 ff ff e8 cd 05 ec f6 90 <0f> 0b 90 e9 de fa ff ff 44 89 f1 80 e1 07 80 c1 03 38 c1 0f 8c 4f RSP: 0018:ffffc90003d67878 EFLAGS: 00010293 RAX: ffffffff8ad985e3 RBX: ffff8881a6400090 RCX: ffff8881697f0000 RDX: 0000000000000000 RSI: 0000000000034010 RDI: 000000000000ffff RBP: dffffc0000000000 R08: 0000000000000003 R09: 0000000000000004 R10: dffffc0000000000 R11: fffff520007acf00 R12: ffff8881baf20900 R13: 0000000000034010 R14: ffff8881a640008e R15: ffff8881760f7000 FS: 000055557e81f500(0000) GS:ffff8882a9467000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000200000033000 CR3: 00000001612f4000 CR4: 00000000000006f0 Call Trace: <TASK> pppol2tp_sendmsg+0x40a/0x5f0 net/l2tp/l2tp_ppp.c:302 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] sock_write_iter+0x503/0x550 net/socket.c:1195 do_iter_readv_writev+0x619/0x8c0 fs/read_write.c:-1 vfs_writev+0x33c/0x990 fs/read_write.c:1059 do_writev+0x154/0x2e0 fs/read_write.c:1105 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f636479c629 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffffd4241c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 RAX: ffffffffffffffda RBX: 00007f6364a15fa0 RCX: 00007f636479c629 RDX: 0000000000000001 RSI: 0000200000000080 RDI: 0000000000000003 RBP: 00007f6364832b39 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f6364a15fac R14: 00007f6364a15fa0 R15: 00007f6364a15fa0 </TASK>

[1]: https://lore.kernel.org/all/20260226201600.222044-1-alice.kernel@fastmail.im/

AnalysisAI

Integer overflow in the Linux kernel's l2tp subsystem allows a local low-privileged attacker to cause a denial of service by sending oversized packets through a PPPoL2TP socket with UDP encapsulation. In l2tp_xmit_core() (net/l2tp/l2tp_core.c:1293), the UDP length field - constrained to 16 bits - is assigned a packet length value without any bounds check, silently truncating values exceeding 65535 bytes and producing malformed UDP frames on the wire or triggering a kernel WARN. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but a syzbot reproducer is publicly documented in the upstream patch discussion.

Technical ContextAI

The L2TP (Layer 2 Tunneling Protocol) kernel implementation in net/l2tp/l2tp_core.c supports UDP encapsulation, where L2TP control and data frames are wrapped in UDP datagrams. The UDP header carries a 16-bit length field per RFC 768, capping the maximum datagram size at 65535 bytes. The function l2tp_xmit_core() constructs the outbound UDP header by assigning the computed payload length directly to this 16-bit field without an overflow guard. When a caller (e.g., pppol2tp_sendmsg() via writev()) passes a buffer exceeding 65535 bytes - as syzbot demonstrated with 0x34000 (212992) bytes - the assignment silently truncates the value, violating protocol semantics. The CWE classification supplied is CWE-674 (Uncontrolled Recursion), which does not accurately describe this bug; the root cause is integer truncation/overflow (more precisely CWE-190 or CWE-682). The 'Buffer Overflow' tag is also imprecise - this is a value-truncation issue in a header field, not a memory buffer overflow. CPE indicates all Linux kernel versions in the cpe:2.3:a:linux:linux:* range are affected, with the vulnerability introduced in Linux 2.6.23 (commit 3557baabf28).

RemediationAI

The primary fix is to upgrade to a patched stable kernel release: Linux 6.6.136 or later, 6.12.83 or later, 6.18.24 or later, 6.19.14 or later, or 7.0 (patched). Upstream fix commits are available at https://git.kernel.org/stable/c/9ccce02d501335f59a02f26c878c5e095b16302f (6.6.x), https://git.kernel.org/stable/c/77c1489398c85a844f90205f5e76fd6bc8bb4089 (6.12.x), https://git.kernel.org/stable/c/86534c97abd6365a9a021fd767a2023e63c44469 (6.19.x), and https://git.kernel.org/stable/c/f295fe86e22ff0a2ecebf05e30a387e5cf6f6ddc (mainline). As a compensating control where patching is not immediately feasible, restrict creation of L2TP and PPPoL2TP sockets by limiting the CAP_NET_ADMIN and related socket capabilities to trusted users only, using seccomp profiles or LSM (AppArmor/SELinux) rules to block socket$pppl2tp and socket$inet6_udp combinations from untrusted processes. Trade-off: this may break legitimate L2TP VPN use cases on the host. Unloading or blacklisting the l2tp_core and l2tp_ppp kernel modules (if not in use) eliminates the attack surface entirely but disables L2TP functionality.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43080 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy