Skip to main content

Linux Kernel EUVDEUVD-2026-27747

| CVE-2026-43186 CRITICAL
Out-of-bounds Write (CWE-787)
2026-05-06 Linux GHSA-8x8h-4g2v-qpf2
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative
Red Hat
7.0 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:35 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
9.8 (CRITICAL)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:27 nvd
CRITICAL 9.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ipv6: ioam: fix heap buffer overflow in __ioam6_fill_trace_data()

On the receive path, __ioam6_fill_trace_data() uses trace->nodelen to decide how much data to write for each node. It trusts this field as-is from the incoming packet, with no consistency check against trace->type (the 24-bit field that tells which data items are present). A crafted packet can set nodelen=0 while setting type bits 0-21, causing the function to write ~100 bytes past the allocated region (into skb_shared_info), which corrupts adjacent heap memory and leads to a kernel panic.

Add a shared helper ioam6_trace_compute_nodelen() in ioam6.c to derive the expected nodelen from the type field, and use it:

  • in ioam6_iptunnel.c (send path, existing validation) to replace

the open-coded computation;

  • in exthdrs.c (receive path, ipv6_hop_ioam) to drop packets whose

nodelen is inconsistent with the type field, before any data is written.

Per RFC 9197, bits 12-21 are each short (4-octet) fields, so they are included in IOAM6_MASK_SHORT_FIELDS (changed from 0xff100000 to 0xff1ffc00).

AnalysisAI

Heap buffer overflow in Linux kernel's IPv6 IOAM (In-situ Operations, Administration, and Maintenance) packet processing allows remote unauthenticated attackers to corrupt kernel memory and trigger system crashes. Attackers send crafted IPv6 packets with inconsistent IOAM trace headers (nodelen=0 with type bits set), causing __ioam6_fill_trace_data() to write ~100 bytes beyond allocated memory into skb_shared_info structures. Despite CVSS 9.8 critical rating, EPSS exploitation probability is low (0.05%, 16th percentile) and no active exploitation or public POC has been identified. Vendor patches available across multiple stable kernel branches (5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0).

Technical ContextAI

The vulnerability exists in the Linux kernel's IPv6 extension header processing, specifically in the IOAM6 (RFC 9197) implementation. IOAM allows in-band telemetry collection as packets traverse network nodes. The __ioam6_fill_trace_data() function in net/ipv6/exthdrs.c processes IOAM trace data on the receive path, trusting the 'nodelen' field from incoming packets without validating it against the 'type' bitmap (24-bit field indicating which data elements are present). Each set bit in positions 0-11 represents an 8-octet field, while bits 12-21 represent 4-octet fields. When nodelen=0 but type bits are set, the function writes data based on type bits while using nodelen for boundary checks, resulting in out-of-bounds writes into adjacent heap structures. The fix introduces ioam6_trace_compute_nodelen() to derive expected nodelen from type field and validates consistency before processing. Affected code paths include net/ipv6/exthdrs.c (receive) and net/ipv6/ioam6_iptunnel.c (send), with the vulnerability present since commit 9ee11f0fff20 which introduced IOAM6 support in kernel 5.15.

RemediationAI

Apply vendor-released kernel updates immediately for systems with IPv6 IOAM features enabled, within 72 hours for production IPv6 infrastructure, and during next maintenance window for standard deployments. Specific fixed versions: upgrade to Linux 5.15.202+ (LTS), 6.1.165+, 6.6.128+ (LTS), 6.12.75+, 6.18.16+, 6.19.6+, or 7.0+. Distribution-specific patches available through standard update channels (yum/dnf, apt, zypper). Upstream commits at https://git.kernel.org/stable/c/632d233cf2e64a46865ae2c064ae3c9df7c8864f (mainline) and stable branch equivalents listed in references. Workarounds for environments unable to patch immediately: (1) Disable IOAM6 processing by setting sysctl net.ipv6.ioam6_enabled=0 if supported by kernel version (eliminates attack surface but disables telemetry features), (2) Configure firewall rules to drop IPv6 packets with Hop-by-Hop extension headers containing IOAM options (ip6tables -A INPUT -m ipv6header --header hop-by-hop -j DROP; side effect: breaks legitimate IOAM telemetry and may impact other Hop-by-Hop uses), (3) Disable IPv6 entirely on non-essential systems (sysctl net.ipv6.conf.all.disable_ipv6=1; significant impact on dual-stack networks). Verify mitigation effectiveness by testing IOAM packet processing is blocked. Note: kernel reboot required after update; plan maintenance windows accordingly.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-27747 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy