CVE Catalog

CVE-2026-43037

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.56%

43th percentile — higher than 43% of all known CVEs

Summary

A vulnerability was found in the Linux kernel's ip4ip6_err() function in the IPv6-over-IPv4 tunnel. Failure to clear the cb[] buffer in a cloned skb (skb2) causes misinterpretation of data as an IPv4 structure, potentially leading to out-of-bounds read and stack buffer overflow.

Risk Assessment

An attacker can send a crafted packet to trigger memory read or arbitrary code execution in the kernel, potentially leading to full system compromise.

Recommendation

Immediately update the Linux kernel to a version containing the fix (clearing skb2->cb[] and adding IPv4 header validation).

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: clear skb2->cb[] in ip4ip6_err() Oskar Kjos reported the following problem. ip4ip6_err() calls icmp_send() on a cloned skb whose cb[] was written by the IPv6 receive path as struct inet6_skb_parm. icmp_send() passes IPCB(skb2) to __ip_options_echo(), which interprets that cb[] region as struct inet_skb_parm (IPv4). The layouts differ: inet6_skb_parm.nhoff at offset 14 overlaps inet_skb_parm.opt.rr, producing a non-zero rr value. __ip_options_echo() then reads optlen from attacker-controlled packet data at sptr[rr+1] and copies that many bytes into dopt->__data, a fixed 40-byte stack buffer (IP_OPTIONS_DATA_FIXED_SIZE). To fix this we clear skb2->cb[], as suggested by Oskar Kjos. Also add minimal IPv4 header validation (version == 4, ihl >= 5).

Vulnerability data from NVD (NIST) · CISA KEV · EPSS