Skip to main content

Linux Kernel EUVDEUVD-2026-39214

| CVE-2026-53263 MEDIUM
Off-by-one Error (CWE-193)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-fq9x-8g2w-4p5r
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
6.1 MEDIUM

PR:L required for local shell access; C:L added because kernel stack bytes are confirmed leaked over the network, contradicting the official C:N; A:H retained as RIID corruption breaks multicast decompression at receivers.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 08, 2026 - 06:38 vuln.today
CVSS changed
Jul 08, 2026 - 04:07 NVD
5.5 (MEDIUM)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 nvd
MEDIUM 5.5
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

6lowpan: fix off-by-one in multicast context address compression

The second memcpy in lowpan_iphc_mcast_ctx_addr_compress() uses &data[1] as destination and &ipaddr->s6_addr[11] as source, but both should be offset by one: &data[2] and &ipaddr->s6_addr[12] respectively.

This off-by-one has two consequences:

  1. data[1] is overwritten with s6_addr[11], corrupting the RIID

field in the compressed multicast address

  1. data[5] is never written, so uninitialized kernel stack memory

is transmitted over the network via lowpan_push_hc_data(), leaking kernel stack contents

The correct inline data layout must match what the decompression function lowpan_uncompress_multicast_ctx_daddr() expects: data[0..1] = s6_addr[1..2] (flags/scope + RIID) data[2..5] = s6_addr[12..15] (group ID)

Also zero-initialize the data array as a defensive measure against similar bugs in the future.

AnalysisAI

Kernel stack memory disclosure and multicast address corruption in the Linux kernel's 6lowpan IPHC subsystem affects all deployments running the vulnerable code path from commit 5609c185f24d onward. A local unprivileged user on a system with an active 6lowpan interface can trigger lowpan_iphc_mcast_ctx_addr_compress() to transmit uninitialized kernel stack bytes over the 6lowpan link layer while also corrupting the RIID field in compressed multicast addresses, breaking multicast connectivity. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local unprivileged shell access
Delivery
Confirm active 6lowpan interface present
Exploit
Send multicast IPv6 traffic over 6lowpan link
Execution
Trigger off-by-one in IPHC multicast context compression
Persist
Uninitialized kernel stack byte embedded in transmitted frame
Impact
Capture 6lowpan link-layer traffic to extract leaked stack byte

Vulnerability AssessmentAI

Exploitation Exploitation requires a local user with at least low-privilege shell access (PR:L per CVSS) on a Linux system where the 6lowpan kernel subsystem is loaded and an active 6lowpan network interface is bound to an IEEE 802.15.4 radio. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The official CVSS 3.1 score of 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) contains a notable discrepancy: C:N (no confidentiality impact) conflicts with both the 'Information Disclosure' tag and the description's explicit statement that uninitialized kernel stack memory is transmitted over the network. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local unprivileged user on a Linux IoT gateway or embedded system with an active 6lowpan (IEEE 802.15.4) interface sends multicast IPv6 traffic destined for a context-compressed multicast address, triggering the off-by-one in `lowpan_iphc_mcast_ctx_addr_compress()`. The resulting compressed packet transmitted over the air contains one byte of uninitialized kernel stack data in the group ID field; an attacker or colluding party monitoring the 6lowpan link can capture this byte to infer kernel memory layout or sensitive runtime data over time. …
Remediation Upgrade to a patched stable kernel version: 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1 - the specific fix commit per branch is available at the git.kernel.org/stable/c/ references provided. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39214 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy