Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Remotely reachable via ICMPv6 (AV:N, PR:N) but needs a reallocation race plus enabled debug logging (AC:H); impact is limited to a memory-disclosure log leak or crash, so C:L/A:L and I:N.
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
ipv6: fix possible UAF in icmpv6_rcv()
Caching saddr and daddr before pskb_pull() is problematic since skb->head can change.
Remove these temporary variables:
- We only access &ipv6_hdr(skb)->saddr and &ipv6_hdr(skb)->daddr
when net_dbg_ratelimited() is called in the slow path.
- Avoid potential future misuse after pskb_pull() call.
AnalysisAI
Use-after-free in the Linux kernel's IPv6 ICMPv6 receive path (icmpv6_rcv()) allows stale pointers to freed socket buffer memory to be dereferenced after a pskb_pull() call relocates skb->head. The affected code cached the source and destination addresses (saddr/daddr) before the pull, and these stale references were only consumed by net_dbg_ratelimited() in the slow path, limiting practical impact. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two non-default conditions: (1) kernel network debug logging must be active, because the stale saddr/daddr pointers are dereferenced only inside net_dbg_ratelimited() on the slow path, and (2) an incoming ICMPv6 packet must trigger a pskb_pull() that actually relocates skb->head, a reallocation race. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals conflict sharply and should be reconciled before prioritization. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker on a network path to the target sends crafted ICMPv6 packets that take the error/slow path in icmpv6_rcv() while conditions cause pskb_pull() to reallocate the skb buffer, so the kernel logs using pointers into freed memory. On a host with network debug logging enabled this can leak stale buffer contents into kernel logs or destabilize the system; no public exploit code is identified at time of analysis and reliable triggering depends on a memory-reallocation race. |
| Remediation | Vendor-released patch: update to a fixed stable kernel for your branch - 5.10.258, 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, or mainline 7.1 (or your distribution's backported equivalent). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Linux systems and document kernel versions across production infrastructure. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-825 – Expired Pointer Dereference
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38874
GHSA-f2fg-xhhc-4m4w