Skip to main content

Linux Kernel CVE-2026-43186

| EUVD-2026-27747 CRITICAL
Out-of-bounds Write (CWE-787)
2026-05-06 Linux GHSA-8x8h-4g2v-qpf2
Buffer Overflow Linux Memory Corruption Red Hat Suse
9.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:35 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
9.8 (CRITICAL)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:27 nvd
CRITICAL 9.8

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

ipv6: ioam: fix heap buffer overflow in __ioam6_fill_trace_data()

On the receive path, __ioam6_fill_trace_data() uses trace->nodelen to decide how much data to write for each node. It trusts this field as-is from the incoming packet, with no consistency check against trace->type (the 24-bit field that tells which data items are present). A crafted packet can set nodelen=0 while setting type bits 0-21, causing the function to write ~100 bytes past the allocated region (into skb_shared_info), which corrupts adjacent heap memory and leads to a kernel panic.

Add a shared helper ioam6_trace_compute_nodelen() in ioam6.c to derive the expected nodelen from the type field, and use it:

  • in ioam6_iptunnel.c (send path, existing validation) to replace

the open-coded computation;

  • in exthdrs.c (receive path, ipv6_hop_ioam) to drop packets whose

nodelen is inconsistent with the type field, before any data is written.

Per RFC 9197, bits 12-21 are each short (4-octet) fields, so they are included in IOAM6_MASK_SHORT_FIELDS (changed from 0xff100000 to 0xff1ffc00).

AnalysisAI

Heap buffer overflow in Linux kernel's IPv6 IOAM (In-situ Operations, Administration, and Maintenance) packet processing allows remote unauthenticated attackers to corrupt kernel memory and trigger system crashes. Attackers send crafted IPv6 packets with inconsistent IOAM trace headers (nodelen=0 with type bits set), causing __ioam6_fill_trace_data() to write ~100 bytes beyond allocated memory into skb_shared_info structures. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Identify all systems running affected Linux kernel versions (pre-5.15.202, pre-6.1.165, pre-6.6.128, pre-6.12.75, pre-6.18.16, pre-6.19.6, pre-7.0). Within 7 days: Prioritize patching internet-facing Linux systems and those processing untrusted IPv6 traffic; apply vendor-released patches to stable kernel branches matching your deployment (e.g., 6.6.128 for 6.6.x deployments). …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

More from same product – last 7 days

CVE-2026-9277 HIGH
8.1 May 22

Command injection in the shell-quote npm package allows attackers who can influence object-token inputs to inject arbitr
CVE-2026-9256 HIGH
8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers
CVE-2026-47334 MEDIUM
5.5 May 28

Kernel availability loss in Ubuntu Linux 6.8, 6.17, and 7.0 can be triggered by any unprivileged local user via a defect
CVE-2026-47335 MEDIUM
5.5 May 28

Kernel panic via NULL pointer dereference in Ubuntu Linux 6.8's AppArmor notification handler allows a locally authentic
CVE-2026-47327 LOW
3.3 May 28

NULL pointer dereference in Ubuntu Linux kernel versions 6.8, 6.17, and 7.0 allows a local unprivileged user to crash th

Vendor StatusVendor

Share

CVE-2026-43186 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy