{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-43501","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-05-01T14:12:56.014Z","datePublished":"2026-05-21T12:17:49.885Z","dateUpdated":"2026-06-01T16:16:09.311Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-06-01T16:16:09.311Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: rpl: reserve mac_len headroom when recompressed SRH grows\n\nipv6_rpl_srh_rcv() decompresses an RFC 6554 Source Routing Header, swaps\nthe next segment into ipv6_hdr->daddr, recompresses, then pulls the old\nheader and pushes the new one plus the IPv6 header back.  The\nrecompressed header can be larger than the received one when the swap\nreduces the common-prefix length the segments share with daddr (CmprI=0,\nCmprE>0, seg[0][0] != daddr[0] gives the maximum +8 bytes).\n\npskb_expand_head() was gated on segments_left == 0, so on earlier\nsegments the push consumed unchecked headroom.  Once skb_push() leaves\nfewer than skb->mac_len bytes in front of data,\nskb_mac_header_rebuild()'s call to:\n\n\tskb_set_mac_header(skb, -skb->mac_len);\n\nwill store (data - head) - mac_len into the u16 mac_header field, which\nwraps to ~65530, and the following memmove() writes mac_len bytes ~64KiB\npast skb->head.\n\nA single AF_INET6/SOCK_RAW/IPV6_HDRINCL packet over lo with a two\nsegment type-3 SRH (CmprI=0, CmprE=15) reaches headroom 8 after one\npass; KASAN reports a 14-byte OOB write in ipv6_rthdr_rcv.\n\nFix this by expanding the head whenever the remaining room is less than\nthe push size plus mac_len, and request that much extra so the rebuilt\nMAC header fits afterwards."}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL"}}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/ipv6/exthdrs.c"],"versions":[{"version":"8610c7c6e3bd647ff98d21c8bc0580e77bc2f8b3","lessThan":"bde199c72d319a4e207f88daabc888317504e2fb","status":"affected","versionType":"git"},{"version":"8610c7c6e3bd647ff98d21c8bc0580e77bc2f8b3","lessThan":"be1fa0aa9b4fdd5a8b7a61ba520a690a68391e6e","status":"affected","versionType":"git"},{"version":"8610c7c6e3bd647ff98d21c8bc0580e77bc2f8b3","lessThan":"0a9e8053f1f8a8e1bfc1dd61ffe67be6c1180402","status":"affected","versionType":"git"},{"version":"8610c7c6e3bd647ff98d21c8bc0580e77bc2f8b3","lessThan":"8e8be63465a5e80394c70324603dfea1bfdad48f","status":"affected","versionType":"git"},{"version":"8610c7c6e3bd647ff98d21c8bc0580e77bc2f8b3","lessThan":"4babc2d9fda2df43823b85d08a0180b68f1b0854","status":"affected","versionType":"git"},{"version":"8610c7c6e3bd647ff98d21c8bc0580e77bc2f8b3","lessThan":"c261d07a80576dc8ccf394ef8f074f8c67a06b37","status":"affected","versionType":"git"},{"version":"8610c7c6e3bd647ff98d21c8bc0580e77bc2f8b3","lessThan":"7398ebefbfd4f8a31d4f665a4213302fa995494b","status":"affected","versionType":"git"},{"version":"8610c7c6e3bd647ff98d21c8bc0580e77bc2f8b3","lessThan":"9e6bf146b55999a095bb14f73a843942456d1adc","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/ipv6/exthdrs.c"],"versions":[{"version":"5.7","status":"affected"},{"version":"0","lessThan":"5.7","status":"unaffected","versionType":"semver"},{"version":"5.10.258","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.209","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.175","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.140","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.86","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.27","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"7.0.4","lessThanOrEqual":"7.0.*","status":"unaffected","versionType":"semver"},{"version":"7.1-rc2","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.7","versionEndExcluding":"5.10.258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.7","versionEndExcluding":"5.15.209"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.7","versionEndExcluding":"6.1.175"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.7","versionEndExcluding":"6.6.140"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.7","versionEndExcluding":"6.12.86"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.7","versionEndExcluding":"6.18.27"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.7","versionEndExcluding":"7.0.4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.7","versionEndExcluding":"7.1-rc2"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/bde199c72d319a4e207f88daabc888317504e2fb"},{"url":"https://git.kernel.org/stable/c/be1fa0aa9b4fdd5a8b7a61ba520a690a68391e6e"},{"url":"https://git.kernel.org/stable/c/0a9e8053f1f8a8e1bfc1dd61ffe67be6c1180402"},{"url":"https://git.kernel.org/stable/c/8e8be63465a5e80394c70324603dfea1bfdad48f"},{"url":"https://git.kernel.org/stable/c/4babc2d9fda2df43823b85d08a0180b68f1b0854"},{"url":"https://git.kernel.org/stable/c/c261d07a80576dc8ccf394ef8f074f8c67a06b37"},{"url":"https://git.kernel.org/stable/c/7398ebefbfd4f8a31d4f665a4213302fa995494b"},{"url":"https://git.kernel.org/stable/c/9e6bf146b55999a095bb14f73a843942456d1adc"}],"title":"ipv6: rpl: reserve mac_len headroom when recompressed SRH grows","x_generator":{"engine":"bippy-1.2.0"}}}}