Skip to main content

Linux Kernel CVE-2026-43083

| EUVDEUVD-2026-27576 CRITICAL
Out-of-bounds Read (CWE-125)
2026-05-06 Linux GHSA-29pf-hv9p-f96v
Critical
Disputed · 9.1 NVD
Share

Severity by source

Sources disagree (Medium–Critical)
NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
SUSE
CRITICAL
qualitative
Red Hat
5.5 MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:24 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
9.1 (CRITICAL)
Patch available
May 06, 2026 - 11:31 EUVD
CVE Published
May 06, 2026 - 07:40 nvd
CRITICAL 9.1

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net: ioam6: fix OOB and missing lock

When trace->type.bit6 is set:

if (trace->type.bit6) { ... queue = skb_get_tx_queue(dev, skb); qdisc = rcu_dereference(queue->qdisc);

This code can lead to an out-of-bounds access of the dev->_tx[] array when is_input is true. In such a case, the packet is on the RX path and skb->queue_mapping contains the RX queue index of the ingress device. If the ingress device has more RX queues than the egress device (dev) has TX queues, skb_get_queue_mapping(skb) will exceed dev->num_tx_queues. Add a check to avoid this situation since skb_get_tx_queue() does not clamp the index. This issue has also revealed that per queue visibility cannot be accurate and will be replaced later as a new feature.

While at it, add missing lock around qdisc_qstats_qlen_backlog(). The function __ioam6_fill_trace_data() is called from both softirq and process contexts, hence the use of spin_lock_bh() here.

AnalysisAI

Out-of-bounds memory access in Linux kernel IOAM6 networking code allows remote unauthenticated attackers to read sensitive kernel memory or crash systems via crafted IPv6 packets with IOAM trace options. The vulnerability triggers when RX queue indices from ingress devices exceed TX queue counts on egress devices, causing array boundary violations in network qdisc operations. Additionally, a missing spinlock enables race conditions in queue statistics access from concurrent softirq and process contexts. EPSS probability is very low (0.02%, 4th percentile) with no evidence of active exploitation. Vendor patches available across multiple stable kernel branches.

Technical ContextAI

This vulnerability affects the In-situ Operations, Administration, and Maintenance for IPv6 (IOAM6) implementation in the Linux kernel networking stack, specifically in the __ioam6_fill_trace_data() function. IOAM6 is defined in RFC 9197 and allows recording operational data within IPv6 packet headers. The flaw occurs when processing IOAM trace type bit 6 options during packet forwarding. The skb_get_tx_queue() function retrieves queue indices from skb->queue_mapping without bounds checking. On the receive path (is_input=true), this mapping contains the ingress device's RX queue index. When dereferencing dev->_tx[] array elements via netdev_get_tx_queue(), an out-of-bounds access occurs if the ingress device has more RX queues than the egress device has TX queues (dev->num_tx_queues). The secondary issue involves qdisc_qstats_qlen_backlog() being called without proper locking protection despite the function executing in both softirq (network packet processing) and process (userspace syscall) contexts, creating race condition opportunities in queue discipline statistics access.

RemediationAI

Primary remediation is upgrading to patched kernel versions: 6.18.24 or later for 6.18.x series, 6.19.14 or later for 6.19.x series, or 7.0 for mainline tracking systems. Patches are available from https://git.kernel.org/stable/c/6d1d9ed9b409e0662241e3d245d574a18f643494, https://git.kernel.org/stable/c/95a1334748c95dd15546056280ade0c4b8dd7b78, and https://git.kernel.org/stable/c/b30b1675aa2bcf0491fd3830b051df4e08a7c8ca. Organizations unable to immediately patch can disable IPv6 IOAM6 processing by ensuring the kernel is not built with CONFIG_IPV6_IOAM6_LWTUNNEL or by blocking IPv6 packets containing IOAM options (IPv6 Hop-by-Hop extension header type 49) at network perimeters using firewall rules, though this breaks legitimate IOAM6-based monitoring if deployed. Note that disabling IOAM6 eliminates the vulnerable code path entirely but also removes operational visibility features if they were being utilized. For systems requiring IOAM6 functionality, patching is mandatory as no configuration-level workaround exists that maintains feature availability. Standard kernel update procedures apply with recommended reboot to activate the fixed kernel.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43083 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy