{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-43037","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-05-01T14:12:55.978Z","datePublished":"2026-05-01T14:15:35.314Z","dateUpdated":"2026-05-11T22:16:29.957Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:16:29.957Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nip6_tunnel: clear skb2->cb[] in ip4ip6_err()\n\nOskar Kjos reported the following problem.\n\nip4ip6_err() calls icmp_send() on a cloned skb whose cb[] was written\nby the IPv6 receive path as struct inet6_skb_parm. icmp_send() passes\nIPCB(skb2) to __ip_options_echo(), which interprets that cb[] region\nas struct inet_skb_parm (IPv4). The layouts differ: inet6_skb_parm.nhoff\nat offset 14 overlaps inet_skb_parm.opt.rr, producing a non-zero rr\nvalue. __ip_options_echo() then reads optlen from attacker-controlled\npacket data at sptr[rr+1] and copies that many bytes into dopt->__data,\na fixed 40-byte stack buffer (IP_OPTIONS_DATA_FIXED_SIZE).\n\nTo fix this we clear skb2->cb[], as suggested by Oskar Kjos.\n\nAlso add minimal IPv4 header validation (version == 4, ihl >= 5)."}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL"}}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/ipv6/ip6_tunnel.c"],"versions":[{"version":"c4d3efafcc933fd2ffd169d7dc4f980393a13796","lessThan":"ea9f65b27c8404e164848ebff1443310fd187629","status":"affected","versionType":"git"},{"version":"c4d3efafcc933fd2ffd169d7dc4f980393a13796","lessThan":"d6621f60192fe10c047a4487be42a6f4c150707f","status":"affected","versionType":"git"},{"version":"c4d3efafcc933fd2ffd169d7dc4f980393a13796","lessThan":"2cc6e3b0fe0f0242d1f530a93a4924f48ab85ba5","status":"affected","versionType":"git"},{"version":"c4d3efafcc933fd2ffd169d7dc4f980393a13796","lessThan":"a0c4ce9900a108eaf55d0f3b399cb55999647d39","status":"affected","versionType":"git"},{"version":"c4d3efafcc933fd2ffd169d7dc4f980393a13796","lessThan":"1063515ce15ff31065c4e7f8265f4c2fd3c54876","status":"affected","versionType":"git"},{"version":"c4d3efafcc933fd2ffd169d7dc4f980393a13796","lessThan":"590f622669b97eaf7b57a1de7b0a6e68c5d8b2c3","status":"affected","versionType":"git"},{"version":"c4d3efafcc933fd2ffd169d7dc4f980393a13796","lessThan":"4a622658f384b03560834cbe8ffcfe69a278f7c8","status":"affected","versionType":"git"},{"version":"c4d3efafcc933fd2ffd169d7dc4f980393a13796","lessThan":"2edfa31769a4add828a7e604b21cb82aaaa05925","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/ipv6/ip6_tunnel.c"],"versions":[{"version":"2.6.22","status":"affected"},{"version":"0","lessThan":"2.6.22","status":"unaffected","versionType":"semver"},{"version":"5.10.253","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.203","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.168","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.134","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.81","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.22","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.12","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.22","versionEndExcluding":"5.10.253"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.22","versionEndExcluding":"5.15.203"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.22","versionEndExcluding":"6.1.168"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.22","versionEndExcluding":"6.6.134"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.22","versionEndExcluding":"6.12.81"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.22","versionEndExcluding":"6.18.22"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.22","versionEndExcluding":"6.19.12"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.22","versionEndExcluding":"7.0"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/ea9f65b27c8404e164848ebff1443310fd187629"},{"url":"https://git.kernel.org/stable/c/d6621f60192fe10c047a4487be42a6f4c150707f"},{"url":"https://git.kernel.org/stable/c/2cc6e3b0fe0f0242d1f530a93a4924f48ab85ba5"},{"url":"https://git.kernel.org/stable/c/a0c4ce9900a108eaf55d0f3b399cb55999647d39"},{"url":"https://git.kernel.org/stable/c/1063515ce15ff31065c4e7f8265f4c2fd3c54876"},{"url":"https://git.kernel.org/stable/c/590f622669b97eaf7b57a1de7b0a6e68c5d8b2c3"},{"url":"https://git.kernel.org/stable/c/4a622658f384b03560834cbe8ffcfe69a278f7c8"},{"url":"https://git.kernel.org/stable/c/2edfa31769a4add828a7e604b21cb82aaaa05925"}],"title":"ip6_tunnel: clear skb2->cb[] in ip4ip6_err()","x_generator":{"engine":"bippy-1.2.0"}}}}