CVE Catalog

CVE-2026-43341

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.40%

32th percentile — higher than 32% of all known CVEs

Summary

A vulnerability has been identified in the Linux kernel that allows for a buffer overflow in the ioam6_fill_trace_data() function. The issue arises from improper storage of the schema length, leading to a bypass of the remaining space check in the trace buffer.

Risk Assessment

An attacker could exploit this vulnerability to overwrite memory, potentially leading to unauthorized access or system instability. Consequently, the organization may face serious security and data integrity issues.

Recommendation

It is recommended to update the Linux kernel to the latest version where this vulnerability has been fixed. Additionally, monitoring systems for unauthorized memory changes can help detect potential attacks.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: net/ipv6: ioam6: prevent schema length wraparound in trace fill ioam6_fill_trace_data() stores the schema contribution to the trace length in a u8. With bit 22 enabled and the largest schema payload, sclen becomes 1 + 1020 / 4, wraps from 256 to 0, and bypasses the remaining-space check. __ioam6_fill_trace_data() then positions the write cursor without reserving the schema area but still copies the 4-byte schema header and the full schema payload, overrunning the trace buffer. Keep sclen in an unsigned int so the remaining-space check and the write cursor calculation both see the full schema length.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS