Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
PR:L required for local shell access; C:L added because kernel stack bytes are confirmed leaked over the network, contradicting the official C:N; A:H retained as RIID corruption breaks multicast decompression at receivers.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
6lowpan: fix off-by-one in multicast context address compression
The second memcpy in lowpan_iphc_mcast_ctx_addr_compress() uses &data[1] as destination and &ipaddr->s6_addr[11] as source, but both should be offset by one: &data[2] and &ipaddr->s6_addr[12] respectively.
This off-by-one has two consequences:
- data[1] is overwritten with s6_addr[11], corrupting the RIID
field in the compressed multicast address
- data[5] is never written, so uninitialized kernel stack memory
is transmitted over the network via lowpan_push_hc_data(), leaking kernel stack contents
The correct inline data layout must match what the decompression function lowpan_uncompress_multicast_ctx_daddr() expects: data[0..1] = s6_addr[1..2] (flags/scope + RIID) data[2..5] = s6_addr[12..15] (group ID)
Also zero-initialize the data array as a defensive measure against similar bugs in the future.
AnalysisAI
Kernel stack memory disclosure and multicast address corruption in the Linux kernel's 6lowpan IPHC subsystem affects all deployments running the vulnerable code path from commit 5609c185f24d onward. A local unprivileged user on a system with an active 6lowpan interface can trigger lowpan_iphc_mcast_ctx_addr_compress() to transmit uninitialized kernel stack bytes over the 6lowpan link layer while also corrupting the RIID field in compressed multicast addresses, breaking multicast connectivity. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a local user with at least low-privilege shell access (PR:L per CVSS) on a Linux system where the 6lowpan kernel subsystem is loaded and an active 6lowpan network interface is bound to an IEEE 802.15.4 radio. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The official CVSS 3.1 score of 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) contains a notable discrepancy: C:N (no confidentiality impact) conflicts with both the 'Information Disclosure' tag and the description's explicit statement that uninitialized kernel stack memory is transmitted over the network. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local unprivileged user on a Linux IoT gateway or embedded system with an active 6lowpan (IEEE 802.15.4) interface sends multicast IPv6 traffic destined for a context-compressed multicast address, triggering the off-by-one in `lowpan_iphc_mcast_ctx_addr_compress()`. The resulting compressed packet transmitted over the air contains one byte of uninitialized kernel stack data in the group ID field; an attacker or colluding party monitoring the 6lowpan link can capture this byte to infer kernel memory layout or sensitive runtime data over time. … |
| Remediation | Upgrade to a patched stable kernel version: 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1 - the specific fix commit per branch is available at the git.kernel.org/stable/c/ references provided. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-193 – Off-by-one Error
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39214
GHSA-fq9x-8g2w-4p5r