Skip to main content

Linux Kernel CVE-2026-46037

| EUVDEUVD-2026-32418 HIGH
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-hxj2-jf3v-xp24
8.2
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:39 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
8.2 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 8.2
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ipv4: icmp: validate reply type before using icmp_pointers

Extended echo replies use ICMP_EXT_ECHOREPLY as the outbound reply type. That value is outside the range covered by icmp_pointers[], which only describes the traditional ICMP types up to NR_ICMP_TYPES.

Avoid consulting icmp_pointers[] for reply types outside that range, and use array_index_nospec() for the remaining in-range lookup. Normal ICMP replies keep their existing behavior unchanged.

AnalysisAI

Out-of-bounds read in the Linux kernel's IPv4 ICMP handling allows remote attackers to trigger denial of service and potential information disclosure by sending crafted ICMP Extended Echo Reply packets. The flaw stems from the kernel consulting the icmp_pointers[] array with reply types (ICMP_EXT_ECHOREPLY) that fall outside its bounded range (NR_ICMP_TYPES). No public exploit identified at time of analysis and EPSS probability is very low (0.02%), but the network attack vector and high availability impact make patching a priority for exposed Linux hosts.

Technical ContextAI

The vulnerability resides in the Linux kernel's IPv4 ICMP subsystem (net/ipv4/icmp.c), which maintains a static lookup table icmp_pointers[] indexed by ICMP type. This table was sized for traditional ICMP types up to NR_ICMP_TYPES, but RFC 8335 Extended Echo Reply uses the type value ICMP_EXT_ECHOREPLY (42), which exceeds that bound. Without validation, the kernel performed an out-of-bounds array access; the fix adds an explicit range check and uses array_index_nospec() to harden against speculative side-channel leaks (Spectre v1) when looking up valid entries. This is consistent with CWE-125 (Out-of-bounds Read) and CWE-1037 (speculative execution variant), though no CWE was assigned in the input data.

RemediationAI

Apply the vendor-released patch by upgrading to a fixed Linux kernel: 6.6.140, 6.12.86, 6.18.27, 7.0.4, or 7.1-rc1 (or your distribution's backport containing the listed stable commits at https://git.kernel.org/stable/c/67bf002a2d7387a6312138210d0bd06e3cf4879b, https://git.kernel.org/stable/c/92e7c209036dcc0e8ffdf806fdfd3645b263bea5, https://git.kernel.org/stable/c/bc64a66e0b9ad937d3d49934242ee62b01ba9a94, https://git.kernel.org/stable/c/c2178ff1c70ebfc2ab9651b230c58a34683db759, and https://git.kernel.org/stable/c/d700c34a5d186b9ba0715bcb19e0ff80ffbfbfc1). As a compensating control until patching, block inbound ICMP type 42 (ICMP_EXT_ECHOREPLY) at the host or perimeter firewall using iptables/nftables (e.g., iptables -A INPUT -p icmp --icmp-type 42 -j DROP), which prevents the trigger packet from reaching the kernel parser; the side effect is loss of RFC 8335 extended-echo diagnostics, which most environments do not rely on. Avoid blanket ICMP drops if you depend on path MTU discovery (type 3) or standard echo (types 0/8).

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-46037 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy