Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AC:H because triggering needs a GSO/cloned-skb race on a non-default SIT tunnel; C:L for a bounded freed-memory read and A:L for a possible oops; no integrity impact.
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
ipv6: sit: reload inner IPv6 header after GSO offloads
ipip6_tunnel_xmit() caches the inner IPv6 header pointer at function entry and continues using it after iptunnel_handle_offloads().
For GSO skbs, iptunnel_handle_offloads() calls skb_header_unclone(). When the skb header is cloned, skb_header_unclone() can call pskb_expand_head(), which may move the skb head. The pskb_expand_head() contract requires pointers into the skb header to be reloaded after the call.
If the later skb_realloc_headroom() branch is not taken, SIT uses the stale iph6 pointer to read the inner hop limit and DS field. That can read from a freed skb head after the old head's remaining clone is released.
Reload iph6 after the offload helper succeeds and before subsequent reads from the inner IPv6 header. Keep the existing reload after skb_realloc_headroom(), since that branch can also replace the skb.
AnalysisAI
Use-after-free read in the Linux kernel's IPv6 SIT (IPv6-in-IPv4) tunnel transmit path lets a stale inner-IPv6-header pointer be dereferenced after GSO offload processing relocates the skb head, exposing freed kernel memory or crashing the host. The flaw affects systems running SIT tunnels in ipip6_tunnel_xmit(), where iptunnel_handle_offloads() may call pskb_expand_head() and move the buffer while the code keeps reading the old iph6 pointer. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target host to have an IPv6-in-IPv4 SIT tunnel configured and active (ipip6_tunnel_xmit must run) - this is a non-default configuration and the primary limiting factor. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals conflict sharply. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | On a host configured as a SIT tunnel endpoint, an attacker (or normal traffic) drives packets through the tunnel such that the transmit path processes a cloned, GSO-eligible skb; the offload helper reallocates the skb head, and the driver then reads the inner hop-limit and DS fields through the freed pointer, potentially leaking stale kernel memory contents into emitted packets or oopsing the kernel. No public proof-of-concept is identified at time of analysis, and reliable triggering depends on winning the GSO/clone timing rather than a deterministic single request. |
| Remediation | Vendor-released patch: upgrade to a fixed stable kernel - 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1 (or your distribution's backport referencing these git.kernel.org commits, e.g. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify systems running IPv6 SIT tunnels and assess exposure. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39319
GHSA-5q2p-7748-g6qp