CVE-2026-53006
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk29th percentile — higher than 29% of all known CVEs
Summary
A vulnerability was found in the Linux kernel's icmpv6_rcv() function for IPv6. Caching source and destination addresses before calling pskb_pull() can lead to a use-after-free (UAF) because pskb_pull() may change the skb->head pointer.
Risk Assessment
An attacker could exploit this vulnerability to gain unauthorized access to kernel memory, potentially leading to privilege escalation or data leakage.
Recommendation
It is recommended to immediately update the Linux kernel to a version containing the fix that removes temporary variables and ensures safe references to the IPv6 header.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: ipv6: fix possible UAF in icmpv6_rcv() Caching saddr and daddr before pskb_pull() is problematic since skb->head can change. Remove these temporary variables: - We only access &ipv6_hdr(skb)->saddr and &ipv6_hdr(skb)->daddr when net_dbg_ratelimited() is called in the slow path. - Avoid potential future misuse after pskb_pull() call.

