CVE Catalog

CVE-2026-53228

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.56%

42th percentile — higher than 42% of all known CVEs

Summary

In the Linux kernel, a vulnerability in the SIT (Simple Internet Transition) IPv6 module uses a stale inner IPv6 header pointer after GSO offloads. The ipip6_tunnel_xmit() function caches the pointer at entry, but iptunnel_handle_offloads() may relocate the skb buffer, causing reads from freed memory.

Risk Assessment

The risk includes potential memory corruption, information disclosure, system crashes (kernel panic), or in extreme cases arbitrary code execution by an attacker.

Recommendation

Immediately update the Linux kernel to a version containing the fix (reload iph6 pointer after offload operations). Monitor official security advisories from your Linux distribution.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: ipv6: sit: reload inner IPv6 header after GSO offloads ipip6_tunnel_xmit() caches the inner IPv6 header pointer at function entry and continues using it after iptunnel_handle_offloads(). For GSO skbs, iptunnel_handle_offloads() calls skb_header_unclone(). When the skb header is cloned, skb_header_unclone() can call pskb_expand_head(), which may move the skb head. The pskb_expand_head() contract requires pointers into the skb header to be reloaded after the call. If the later skb_realloc_headroom() branch is not taken, SIT uses the stale iph6 pointer to read the inner hop limit and DS field. That can read from a freed skb head after the old head's remaining clone is released. Reload iph6 after the offload helper succeeds and before subsequent reads from the inner IPv6 header. Keep the existing reload after skb_realloc_headroom(), since that branch can also replace the skb.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS