Skip to main content

Linux Kernel EUVDEUVD-2026-21934

| CVE-2026-31415 MEDIUM
Reachable Assertion (CWE-617)
2026-04-13 Linux GHSA-2rf4-5672-vqwm
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

6
Analysis Generated
May 20, 2026 - 15:53 vuln.today
CVSS changed
May 20, 2026 - 15:52 NVD
5.5 (MEDIUM)
Patch released
Apr 18, 2026 - 09:16 nvd
Patch available
Patch available
Apr 16, 2026 - 05:29 EUVD
9ed81d692758dfb9471d7799b24bfa7a08224c31,0bdaf54d3aaddfe8df29371260fa8d4939b4fd6f,63fda74885555e6bd1623b5d811feec998740ba4
EUVD ID Assigned
Apr 13, 2026 - 13:45 euvd
EUVD-2026-21934
CVE Published
Apr 13, 2026 - 13:21 nvd
N/A

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

ipv6: avoid overflows in ip6_datagram_send_ctl()

Yiming Qian reported : <quote> I believe I found a locally triggerable kernel bug in the IPv6 sendmsg ancillary-data path that can panic the kernel via skb_under_panic() (local DoS).

The core issue is a mismatch between:

  • a 16-bit length accumulator (struct ipv6_txoptions::opt_flen, type

__u16) and

  • a pointer to the *last* provided destination-options header (opt->dst1opt)

when multiple IPV6_DSTOPTS control messages (cmsgs) are provided.

  • include/net/ipv6.h:
  • struct ipv6_txoptions::opt_flen is __u16 (wrap possible).

(lines 291-307, especially 298)

  • net/ipv6/datagram.c:ip6_datagram_send_ctl():
  • Accepts repeated IPV6_DSTOPTS and accumulates into opt_flen

without rejecting duplicates. (lines 909-933)

  • net/ipv6/ip6_output.c:__ip6_append_data():
  • Uses opt->opt_flen + opt->opt_nflen to compute header

sizes/headroom decisions. (lines 1448-1466, especially 1463-1465)

  • net/ipv6/ip6_output.c:__ip6_make_skb():
  • Calls ipv6_push_frag_opts() if opt->opt_flen is non-zero.

(lines 1930-1934)

  • net/ipv6/exthdrs.c:ipv6_push_frag_opts() / ipv6_push_exthdr():
  • Push size comes from ipv6_optlen(opt->dst1opt) (based on the

pointed-to header). (lines 1179-1185 and 1206-1211)

  1. opt_flen is a 16-bit accumulator:
  • include/net/ipv6.h:298 defines __u16 opt_flen; /* after fragment hdr */.
  1. ip6_datagram_send_ctl() accepts *repeated* IPV6_DSTOPTS cmsgs

and increments opt_flen each time:

  • In net/ipv6/datagram.c:909-933, for IPV6_DSTOPTS:
  • It computes len = ((hdr->hdrlen + 1) << 3);
  • It checks CAP_NET_RAW using `ns_capable(net->user_ns,

CAP_NET_RAW)`. (line 922)

  • Then it does:
  • opt->opt_flen += len; (line 927)
  • opt->dst1opt = hdr; (line 928)

There is no duplicate rejection here (unlike the legacy IPV6_2292DSTOPTS path which rejects duplicates at net/ipv6/datagram.c:901-904).

If enough large IPV6_DSTOPTS cmsgs are provided, opt_flen wraps while dst1opt still points to a large (2048-byte) destination-options header.

In the attached PoC (poc.c):

  • 32 cmsgs with hdrlen=255 => len = (255+1)*8 = 2048
  • 1 cmsg with hdrlen=0 => len = 8
  • Total increment: 32*2048 + 8 = 65544, so (__u16)opt_flen == 8
  • The last cmsg is 2048 bytes, so dst1opt points to a 2048-byte header.
  1. The transmit path sizes headers using the wrapped opt_flen:
  • In net/ipv6/ip6_output.c:1463-1465:
  • `headersize = sizeof(struct ipv6hdr) + (opt ? opt->opt_flen +

opt->opt_nflen : 0) + ...;`

With wrapped opt_flen, headersize/headroom decisions underestimate what will be pushed later.

  1. When building the final skb, the actual push length comes from

dst1opt and is not limited by wrapped opt_flen:

  • In net/ipv6/ip6_output.c:1930-1934:
  • if (opt->opt_flen) proto = ipv6_push_frag_opts(skb, opt, proto);
  • In net/ipv6/exthdrs.c:1206-1211, ipv6_push_frag_opts() pushes

dst1opt via ipv6_push_exthdr().

  • In net/ipv6/exthdrs.c:1179-1184, ipv6_push_exthdr() does:
  • skb_push(skb, ipv6_optlen(opt));
  • memcpy(h, opt, ipv6_optlen(opt));

With insufficient headroom, skb_push() underflows and triggers skb_under_panic() -> BUG():

  • net/core/skbuff.c:2669-2675 (skb_push() calls skb_under_panic())
  • net/core/skbuff.c:207-214 (skb_panic() ends in BUG())
  • The IPV6_DSTOPTS cmsg path requires CAP_NET_RAW in the target

netns user namespace (ns_capable(net->user_ns, CAP_NET_RAW)).

  • Root (or any task with CAP_NET_RAW) can trigger this without user

namespaces.

  • An unprivileged uid=1000 user can trigger this if unprivileged

user namespaces are enabled and it can create a userns+netns to obtain namespaced CAP_NET_RAW (the attached PoC does this).

  • Local denial of service: kernel BUG/panic (system crash).

- ---truncated---

AnalysisAI

Integer overflow in the Linux kernel's IPv6 sendmsg ancillary-data path allows a local user with CAP_NET_RAW (or namespaced CAP_NET_RAW via unprivileged user namespaces) to crash the kernel via skb_under_panic(), constituting a local denial of service. The 16-bit opt_flen accumulator in ip6_datagram_send_ctl() wraps around when flooded with large IPV6_DSTOPTS cmsgs, causing the transmit path to underallocate sk_buff headroom while dst1opt still references a large destination-options header - the mismatch triggers BUG() on subsequent packet transmission. A proof-of-concept (poc.c) was submitted with the bug report; no public exploit identified at time of analysis as actively exploited (no CISA KEV listing), and EPSS is very low at 0.03%.

Technical ContextAI

The flaw lives in net/ipv6/datagram.c:ip6_datagram_send_ctl(), which processes per-packet IPv6 extension header options supplied as ancillary cmsgs to sendmsg(). The field struct ipv6_txoptions::opt_flen (include/net/ipv6.h:298) is declared __u16 - a 16-bit unsigned integer with a maximum of 65535. The IPV6_DSTOPTS handling path (lines 909-933) accumulates opt_flen += len for every provided cmsg without overflow checking and without rejecting duplicates, unlike the legacy IPV6_2292DSTOPTS path (lines 901-904) which does reject them. When opt_flen wraps, __ip6_append_data() (ip6_output.c:1463-1465) uses the wrapped value to compute headersize and allocate sk_buff headroom, producing a severe underestimate. Later, __ip6_make_skb() calls ipv6_push_frag_opts() (ip6_output.c:1930-1934), which invokes ipv6_push_exthdr() using ipv6_optlen(opt->dst1opt) - the real, unwrapped size from the last-provided destination-options header. The skb_push() call in exthdrs.c:1179-1184 underflows the allocated headroom and triggers skb_under_panic() (net/core/skbuff.c:2669-2675), which calls BUG(), panicking the kernel. CWE-617 (Reachable Assertion) is the assigned classification, though the primary root cause is more precisely a 16-bit integer overflow (CWE-190) - CWE-617 captures the downstream BUG() trigger. Affected CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*.

RemediationAI

The primary fix is to upgrade to a patched kernel version: 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, or 7.0, depending on the active stable branch. Upstream fix commits are available at https://git.kernel.org/stable/c/0bdaf54d3aaddfe8df29371260fa8d4939b4fd6f, https://git.kernel.org/stable/c/5e4ee5dbea134e9257f205e31a96040bed71e87f, https://git.kernel.org/stable/c/63fda74885555e6bd1623b5d811feec998740ba4, https://git.kernel.org/stable/c/9ed81d692758dfb9471d7799b24bfa7a08224c31, https://git.kernel.org/stable/c/872b74900d5daa37067ac676d9001bb929fc6a2a, and https://git.kernel.org/stable/c/4e453375561fc60820e6b9d8ebeb6b3ee177d42e. Where patching is not immediately possible, the most effective compensating control is to disable unprivileged user namespaces: on Debian/Ubuntu use sysctl -w kernel.unprivileged_userns_clone=0 (persisted via /etc/sysctl.d/); on RHEL/Fedora use sysctl -w user.max_user_namespaces=0. This prevents unprivileged users from acquiring namespaced CAP_NET_RAW, restricting exploitation to root-equivalent processes only. Trade-off: disabling unprivileged user namespaces breaks rootless Podman/Docker, Firefox content sandboxing, Flatpak, and Bubblewrap-based sandbox tools. Alternatively, apply a seccomp or AppArmor profile to sensitive workloads that drops CAP_NET_RAW and blocks socket(AF_INET6, SOCK_RAW, ...) syscalls for untrusted users.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-21934 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy