{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-43186","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-05-01T14:12:55.991Z","datePublished":"2026-05-06T11:27:57.053Z","dateUpdated":"2026-05-11T22:19:30.665Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:19:30.665Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: ioam: fix heap buffer overflow in __ioam6_fill_trace_data()\n\nOn the receive path, __ioam6_fill_trace_data() uses trace->nodelen\nto decide how much data to write for each node. It trusts this field\nas-is from the incoming packet, with no consistency check against\ntrace->type (the 24-bit field that tells which data items are\npresent). A crafted packet can set nodelen=0 while setting type bits\n0-21, causing the function to write ~100 bytes past the allocated\nregion (into skb_shared_info), which corrupts adjacent heap memory\nand leads to a kernel panic.\n\nAdd a shared helper ioam6_trace_compute_nodelen() in ioam6.c to\nderive the expected nodelen from the type field, and use it:\n\n  - in ioam6_iptunnel.c (send path, existing validation) to replace\n    the open-coded computation;\n  - in exthdrs.c (receive path, ipv6_hop_ioam) to drop packets whose\n    nodelen is inconsistent with the type field, before any data is\n    written.\n\nPer RFC 9197, bits 12-21 are each short (4-octet) fields, so they\nare included in IOAM6_MASK_SHORT_FIELDS (changed from 0xff100000 to\n0xff1ffc00)."}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL"}}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["include/net/ioam6.h","net/ipv6/exthdrs.c","net/ipv6/ioam6.c","net/ipv6/ioam6_iptunnel.c"],"versions":[{"version":"9ee11f0fff205b4b3df9750bff5e94f97c71b6a0","lessThan":"f4d9d4b8fd839719d564651671e24c62c545c23b","status":"affected","versionType":"git"},{"version":"9ee11f0fff205b4b3df9750bff5e94f97c71b6a0","lessThan":"fb3c662fafebc5b9d74417ed1de8759f6bb72143","status":"affected","versionType":"git"},{"version":"9ee11f0fff205b4b3df9750bff5e94f97c71b6a0","lessThan":"632d233cf2e64a46865ae2c064ae3c9df7c8864f","status":"affected","versionType":"git"},{"version":"9ee11f0fff205b4b3df9750bff5e94f97c71b6a0","lessThan":"0591d6509c2ff13f09ea2998434aba0c0472e978","status":"affected","versionType":"git"},{"version":"9ee11f0fff205b4b3df9750bff5e94f97c71b6a0","lessThan":"e90346a2f1e8917d5760a44a1f61c44e3b36d96b","status":"affected","versionType":"git"},{"version":"9ee11f0fff205b4b3df9750bff5e94f97c71b6a0","lessThan":"ea3632aefc04205436868541638e26f4a74d5637","status":"affected","versionType":"git"},{"version":"9ee11f0fff205b4b3df9750bff5e94f97c71b6a0","lessThan":"6db8b56eed62baacaf37486e83378a72635c04cc","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["include/net/ioam6.h","net/ipv6/exthdrs.c","net/ipv6/ioam6.c","net/ipv6/ioam6_iptunnel.c"],"versions":[{"version":"5.15","status":"affected"},{"version":"0","lessThan":"5.15","status":"unaffected","versionType":"semver"},{"version":"5.15.202","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.165","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.128","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.75","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.16","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.6","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"5.15.202"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"6.1.165"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"6.6.128"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"6.12.75"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"6.18.16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"6.19.6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"7.0"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/f4d9d4b8fd839719d564651671e24c62c545c23b"},{"url":"https://git.kernel.org/stable/c/fb3c662fafebc5b9d74417ed1de8759f6bb72143"},{"url":"https://git.kernel.org/stable/c/632d233cf2e64a46865ae2c064ae3c9df7c8864f"},{"url":"https://git.kernel.org/stable/c/0591d6509c2ff13f09ea2998434aba0c0472e978"},{"url":"https://git.kernel.org/stable/c/e90346a2f1e8917d5760a44a1f61c44e3b36d96b"},{"url":"https://git.kernel.org/stable/c/ea3632aefc04205436868541638e26f4a74d5637"},{"url":"https://git.kernel.org/stable/c/6db8b56eed62baacaf37486e83378a72635c04cc"}],"title":"ipv6: ioam: fix heap buffer overflow in __ioam6_fill_trace_data()","x_generator":{"engine":"bippy-1.2.0"}}}}