Skip to main content

Linux Kernel CVE-2026-43501

| EUVDEUVD-2026-31276 CRITICAL
Out-of-bounds Write (CWE-787)
2026-05-21 Linux GHSA-fqx3-r8j8-73qq
9.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative
Red Hat
7.0 HIGH
qualitative

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 13:28 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
9.8 (CRITICAL)
Patch available
May 21, 2026 - 13:01 EUVD
CVE Published
May 21, 2026 - 12:17 nvd
UNKNOWN (no severity yet)
CVE Published
May 21, 2026 - 12:17 nvd
CRITICAL 9.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ipv6: rpl: reserve mac_len headroom when recompressed SRH grows

ipv6_rpl_srh_rcv() decompresses an RFC 6554 Source Routing Header, swaps the next segment into ipv6_hdr->daddr, recompresses, then pulls the old header and pushes the new one plus the IPv6 header back. The recompressed header can be larger than the received one when the swap reduces the common-prefix length the segments share with daddr (CmprI=0, CmprE>0, seg[0][0] != daddr[0] gives the maximum +8 bytes).

pskb_expand_head() was gated on segments_left == 0, so on earlier segments the push consumed unchecked headroom. Once skb_push() leaves fewer than skb->mac_len bytes in front of data, skb_mac_header_rebuild()'s call to:

skb_set_mac_header(skb, -skb->mac_len);

will store (data - head) - mac_len into the u16 mac_header field, which wraps to ~65530, and the following memmove() writes mac_len bytes ~64KiB past skb->head.

A single AF_INET6/SOCK_RAW/IPV6_HDRINCL packet over lo with a two segment type-3 SRH (CmprI=0, CmprE=15) reaches headroom 8 after one pass; KASAN reports a 14-byte OOB write in ipv6_rthdr_rcv.

Fix this by expanding the head whenever the remaining room is less than the push size plus mac_len, and request that much extra so the rebuilt MAC header fits afterwards.

AnalysisAI

Out-of-bounds heap write in the Linux kernel's IPv6 RPL Source Routing Header (SRH) processing path allows local attackers with raw IPv6 socket access to corrupt memory beyond the skb buffer. The flaw in ipv6_rpl_srh_rcv() occurs when a recompressed SRH grows larger than the received one and consumes unchecked headroom, causing skb_mac_header_rebuild() to wrap a u16 offset and trigger a ~64KiB out-of-bounds memmove. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but the bug is reachable from unprivileged userspace via a single crafted AF_INET6/SOCK_RAW packet over loopback per the reporter's KASAN reproduction.

Technical ContextAI

The vulnerable code is in net/ipv6/exthdrs.c within ipv6_rpl_srh_rcv(), which processes RFC 6554 Source Routing Headers used by the Routing Protocol for Low-Power and Lossy Networks (RPL). The handler decompresses the SRH, swaps the next segment into the IPv6 destination address, recompresses, and pushes the rebuilt header back onto the skb. Because the recompressed header can grow by up to 8 bytes when the segment swap reduces the common prefix shared with the new daddr (with parameters CmprI=0 and CmprE>0), and the prior pskb_expand_head() call was gated on segments_left==0, intermediate segments could push past available headroom. Once skb_push() leaves fewer bytes than skb->mac_len, skb_set_mac_header(skb, -skb->mac_len) stores a negative offset into a u16 field that wraps to ~65530, and the subsequent memmove writes mac_len bytes roughly 64KiB past skb->head - a classic heap out-of-bounds write. The root cause class is improper bounds checking on a packet-driven length calculation (CWE-787-style condition, though CWE is not assigned in the input).

RemediationAI

Vendor-released patch: upgrade to Linux kernel 6.6.140, 6.12.86, 6.18.27, 7.0.4, or 7.1-rc2 or later as appropriate for your maintained branch; the upstream fixes are committed at https://git.kernel.org/stable/c/c261d07a80576dc8ccf394ef8f074f8c67a06b37 and the related stable backports listed in the references. For systems that cannot be patched immediately, mitigate by restricting CAP_NET_RAW (which is required to open AF_INET6/SOCK_RAW with IPV6_HDRINCL) to trusted processes only, and consider disabling IPv6 RPL processing if not needed by unloading or blacklisting the RPL functionality - note that disabling raw sockets will break tools such as ping, traceroute, and some container/network agents. Additional layered controls include enabling user namespace restrictions (sysctl kernel.unprivileged_userns_clone=0 on distros where applicable) so unprivileged users cannot acquire CAP_NET_RAW inside a user namespace, with the trade-off of breaking rootless container workflows.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed

Share

CVE-2026-43501 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy