CVE-2026-43037
- Source
- https://cve.org/CVERecord?id=CVE-2026-43037
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43037.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-43037
- Downstream
- Related
- Published
- 2026-05-01T14:15:35.314Z
- Modified
- 2026-06-19T08:29:26.430958439Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- ip6_tunnel: clear skb2->cb[] in ip4ip6_err()
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
ip6tunnel: clear skb2->cb[] in ip4ip6err()
Oskar Kjos reported the following problem.
ip4ip6err() calls icmpsend() on a cloned skb whose cb[] was written by the IPv6 receive path as struct inet6skbparm. icmp_send() passes IPCB(skb2) to __ipoptionsecho(), which interprets that cb[] region as struct inetskbparm (IPv4). The layouts differ: inet6skbparm.nhoff at offset 14 overlaps inetskbparm.opt.rr, producing a non-zero rr value. __ipoptionsecho() then reads optlen from attacker-controlled packet data at sptr[rr+1] and copies that many bytes into dopt->__data, a fixed 40-byte stack buffer (IPOPTIONSDATAFIXEDSIZE).
To fix this we clear skb2->cb[], as suggested by Oskar Kjos.
Also add minimal IPv4 header validation (version == 4, ihl >= 5).
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43037.json" }- References
-
- https://git.kernel.org/stable/c/1063515ce15ff31065c4e7f8265f4c2fd3c54876
- https://git.kernel.org/stable/c/2cc6e3b0fe0f0242d1f530a93a4924f48ab85ba5
- https://git.kernel.org/stable/c/2edfa31769a4add828a7e604b21cb82aaaa05925
- https://git.kernel.org/stable/c/4a622658f384b03560834cbe8ffcfe69a278f7c8
- https://git.kernel.org/stable/c/590f622669b97eaf7b57a1de7b0a6e68c5d8b2c3
- https://git.kernel.org/stable/c/a0c4ce9900a108eaf55d0f3b399cb55999647d39
- https://git.kernel.org/stable/c/d6621f60192fe10c047a4487be42a6f4c150707f
- https://git.kernel.org/stable/c/ea9f65b27c8404e164848ebff1443310fd187629
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43037.json
- https://nvd.nist.gov/vuln/detail/CVE-2026-43037
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedc4d3efafcc933fd2ffd169d7dc4f980393a13796Fixedea9f65b27c8404e164848ebff1443310fd187629Fixedd6621f60192fe10c047a4487be42a6f4c150707fFixed2cc6e3b0fe0f0242d1f530a93a4924f48ab85ba5Fixeda0c4ce9900a108eaf55d0f3b399cb55999647d39Fixed1063515ce15ff31065c4e7f8265f4c2fd3c54876Fixed590f622669b97eaf7b57a1de7b0a6e68c5d8b2c3Fixed4a622658f384b03560834cbe8ffcfe69a278f7c8Fixed2edfa31769a4add828a7e604b21cb82aaaa05925
Linux / Kernel
Package
- Name
- Kernel
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced2.6.22Fixed5.10.253
- Type
- ECOSYSTEM
- Events
-
Introduced5.11.0Fixed5.15.203
- Type
- ECOSYSTEM
- Events
-
Introduced5.16.0Fixed6.1.168
- Type
- ECOSYSTEM
- Events
-
Introduced6.2.0Fixed6.6.134
- Type
- ECOSYSTEM
- Events
-
Introduced6.7.0Fixed6.12.81
- Type
- ECOSYSTEM
- Events
-
Introduced6.13.0Fixed6.18.22
- Type
- ECOSYSTEM
- Events
-
Introduced6.19.0Fixed6.19.12