Skip to main content

Linux Kernel EUVDEUVD-2026-28625

| CVE-2026-43341 CRITICAL
2026-05-08 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-p877-m7m5-3qh3
9.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative
Red Hat
7.0 HIGH
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 11, 2026 - 08:26 vuln.today
CVSS changed
May 11, 2026 - 08:22 NVD
9.8 (CRITICAL)
Patch available
May 08, 2026 - 15:02 EUVD
CVE Published
May 08, 2026 - 14:16 nvd
CRITICAL 9.8
CVE Published
May 08, 2026 - 14:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net/ipv6: ioam6: prevent schema length wraparound in trace fill

ioam6_fill_trace_data() stores the schema contribution to the trace length in a u8. With bit 22 enabled and the largest schema payload, sclen becomes 1 + 1020 / 4, wraps from 256 to 0, and bypasses the remaining-space check. __ioam6_fill_trace_data() then positions the write cursor without reserving the schema area but still copies the 4-byte schema header and the full schema payload, overrunning the trace buffer.

Keep sclen in an unsigned int so the remaining-space check and the write cursor calculation both see the full schema length.

AnalysisAI

Integer overflow in Linux kernel's IPv6 IOAM (In-situ Operations, Administration, and Maintenance) trace functionality allows remote unauthenticated attackers to trigger buffer overflow conditions. A crafted IOAM trace packet with specific schema configurations causes an 8-bit integer wraparound that bypasses buffer boundary checks, enabling memory corruption with potential for arbitrary code execution at kernel privilege level. CVSS scored 9.8 (Critical) with network attack vector, though EPSS score of 0.02% (7th percentile) suggests minimal observed exploitation activity. Patches available across multiple stable kernel versions (5.15, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0) via upstream commits, indicating vendor-prioritized remediation without confirmed active exploitation.

Technical ContextAI

This vulnerability affects the Linux kernel's IPv6 IOAM6 (RFC 9197) implementation, specifically in the ioam6_fill_trace_data() function within net/ipv6/ioam6.c. IOAM is a data plane protocol for recording operational and telemetry information while packets traverse network paths. The flaw stems from unsafe integer type selection where the schema contribution length (sclen) calculation is stored in an 8-bit unsigned integer (u8). When IOAM trace bit 22 is enabled with maximum schema payload (1020 bytes), the calculation (1 + 1020/4 = 256) exceeds u8 maximum, wrapping from 256 to 0. This wraparound defeats the subsequent remaining-space validation check in __ioam6_fill_trace_data(), causing the function to calculate write cursor position without proper buffer reservation. The code then writes a 4-byte schema header plus full schema payload beyond allocated buffer boundaries, resulting in kernel heap or stack buffer overflow depending on trace buffer allocation context. The fix changes sclen storage from u8 to unsigned int, preserving full 32-bit arithmetic precision for proper boundary validation. This is a classic integer overflow vulnerability class, though no CWE mapping was provided in the source data.

RemediationAI

Upgrade to patched Linux kernel versions: 6.1.168 or later for 6.1.x series, 6.6.134+ for 6.6.x series, 6.12.81+ for 6.12.x series, 6.18.22+ for 6.18.x series, 6.19.12+ for 6.19.x series, or 7.0+ for mainline development kernel. Patched commits available from https://git.kernel.org/stable/ (see references: d6e1c9b02d85, 77695a69baca, d1b041080086, 184d2e9db27c, e96d48b37708, 5e67ba9bb531). For environments where immediate kernel upgrades pose operational risk, implement temporary workaround by disabling IPv6 IOAM6 functionality if not operationally required - verify IOAM6 status with 'sysctl net.ipv6.conf.all.ioam6_enabled' and disable via 'sysctl -w net.ipv6.conf.all.ioam6_enabled=0' (requires testing as this may break telemetry-dependent monitoring infrastructure). Additionally, configure netfilter/ip6tables rules to drop IPv6 packets containing IOAM extension headers (IPv6 Hop-by-Hop extension with IOAM option type) at network perimeter: 'ip6tables -A INPUT -m ipv6header --header hop-by-hop --soft -j DROP' (WARNING: aggressive filtering may impact legitimate IPv6 extension header usage; validate against network requirements). Compensating controls carry side effect of reduced telemetry visibility in networks relying on IOAM data for performance monitoring and troubleshooting. No evidence suggests vulnerability is exploitable without IPv6 IOAM6 processing enabled, making feature disablement highly effective mitigation for non-IOAM environments.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-28625 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy