{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-43038","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-05-01T14:12:55.978Z","datePublished":"2026-05-01T14:15:35.986Z","dateUpdated":"2026-05-11T22:16:31.106Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:16:31.106Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach()\n\nSashiko AI-review observed:\n\n  In ip6_err_gen_icmpv6_unreach(), the skb is an outer IPv4 ICMP error packet\n  where its cb contains an IPv4 inet_skb_parm. When skb is cloned into skb2\n  and passed to icmp6_send(), it uses IP6CB(skb2).\n\n  IP6CB interprets the IPv4 inet_skb_parm as an inet6_skb_parm. The cipso\n  offset in inet_skb_parm.opt directly overlaps with dsthao in inet6_skb_parm\n  at offset 18.\n\n  If an attacker sends a forged ICMPv4 error with a CIPSO IP option, dsthao\n  would be a non-zero offset. Inside icmp6_send(), mip6_addr_swap() is called\n  and uses ipv6_find_tlv(skb, opt->dsthao, IPV6_TLV_HAO).\n\n  This would scan the inner, attacker-controlled IPv6 packet starting at that\n  offset, potentially returning a fake TLV without checking if the remaining\n  packet length can hold the full 18-byte struct ipv6_destopt_hao.\n\n  Could mip6_addr_swap() then perform a 16-byte swap that extends past the end\n  of the packet data into skb_shared_info?\n\n  Should the cb array also be cleared in ip6_err_gen_icmpv6_unreach() and\n  ip6ip6_err() to prevent this?\n\nThis patch implements the first suggestion.\n\nI am not sure if ip6ip6_err() needs to be changed.\nA separate patch would be better anyway."}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL"}}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/ipv6/icmp.c"],"versions":[{"version":"ca15a078bd907df5fc1c009477869c5cbde3b753","lessThan":"c438ba010171b70bad22fc18b1d5bdc3627476e8","status":"affected","versionType":"git"},{"version":"ca15a078bd907df5fc1c009477869c5cbde3b753","lessThan":"0452b6526b2f54b2413b9cb4ff1ea2ac542c99c7","status":"affected","versionType":"git"},{"version":"ca15a078bd907df5fc1c009477869c5cbde3b753","lessThan":"a4437faf135da293d16fcc4cc607316742bd0ebb","status":"affected","versionType":"git"},{"version":"ca15a078bd907df5fc1c009477869c5cbde3b753","lessThan":"3d5127d998de617b130aae96b138dba22ac6a8a7","status":"affected","versionType":"git"},{"version":"ca15a078bd907df5fc1c009477869c5cbde3b753","lessThan":"e41953e7d118e2702bcb217879c173d9d1d3cd4e","status":"affected","versionType":"git"},{"version":"ca15a078bd907df5fc1c009477869c5cbde3b753","lessThan":"a2edbb6393972a02114b6003953a5cef3104fada","status":"affected","versionType":"git"},{"version":"ca15a078bd907df5fc1c009477869c5cbde3b753","lessThan":"1ceeebd5bd6d855b17a5df625109bfe29129d7cf","status":"affected","versionType":"git"},{"version":"ca15a078bd907df5fc1c009477869c5cbde3b753","lessThan":"86ab3e55673a7a49a841838776f1ab18d23a67b5","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/ipv6/icmp.c"],"versions":[{"version":"3.13","status":"affected"},{"version":"0","lessThan":"3.13","status":"unaffected","versionType":"semver"},{"version":"5.10.253","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.203","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.168","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.134","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.81","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.22","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.12","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.13","versionEndExcluding":"5.10.253"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.13","versionEndExcluding":"5.15.203"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.13","versionEndExcluding":"6.1.168"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.13","versionEndExcluding":"6.6.134"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.13","versionEndExcluding":"6.12.81"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.13","versionEndExcluding":"6.18.22"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.13","versionEndExcluding":"6.19.12"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.13","versionEndExcluding":"7.0"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/c438ba010171b70bad22fc18b1d5bdc3627476e8"},{"url":"https://git.kernel.org/stable/c/0452b6526b2f54b2413b9cb4ff1ea2ac542c99c7"},{"url":"https://git.kernel.org/stable/c/a4437faf135da293d16fcc4cc607316742bd0ebb"},{"url":"https://git.kernel.org/stable/c/3d5127d998de617b130aae96b138dba22ac6a8a7"},{"url":"https://git.kernel.org/stable/c/e41953e7d118e2702bcb217879c173d9d1d3cd4e"},{"url":"https://git.kernel.org/stable/c/a2edbb6393972a02114b6003953a5cef3104fada"},{"url":"https://git.kernel.org/stable/c/1ceeebd5bd6d855b17a5df625109bfe29129d7cf"},{"url":"https://git.kernel.org/stable/c/86ab3e55673a7a49a841838776f1ab18d23a67b5"}],"title":"ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach()","x_generator":{"engine":"bippy-1.2.0"}}}}