CVE-2026-43186

Source
https://cve.org/CVERecord?id=CVE-2026-43186
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43186.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-43186
Downstream
Published
2026-05-06T11:27:57.053Z
Modified
2026-06-18T03:55:39.022702993Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
ipv6: ioam: fix heap buffer overflow in __ioam6_fill_trace_data()
Details

In the Linux kernel, the following vulnerability has been resolved:

ipv6: ioam: fix heap buffer overflow in _ioam6filltracedata()

On the receive path, _ioam6filltracedata() uses trace->nodelen to decide how much data to write for each node. It trusts this field as-is from the incoming packet, with no consistency check against trace->type (the 24-bit field that tells which data items are present). A crafted packet can set nodelen=0 while setting type bits 0-21, causing the function to write ~100 bytes past the allocated region (into skbsharedinfo), which corrupts adjacent heap memory and leads to a kernel panic.

Add a shared helper ioam6tracecompute_nodelen() in ioam6.c to derive the expected nodelen from the type field, and use it:

  • in ioam6_iptunnel.c (send path, existing validation) to replace the open-coded computation;
  • in exthdrs.c (receive path, ipv6hopioam) to drop packets whose nodelen is inconsistent with the type field, before any data is written.

Per RFC 9197, bits 12-21 are each short (4-octet) fields, so they are included in IOAM6MASKSHORT_FIELDS (changed from 0xff100000 to 0xff1ffc00).

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43186.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
9ee11f0fff205b4b3df9750bff5e94f97c71b6a0
Fixed
f4d9d4b8fd839719d564651671e24c62c545c23b
Fixed
fb3c662fafebc5b9d74417ed1de8759f6bb72143
Fixed
632d233cf2e64a46865ae2c064ae3c9df7c8864f
Fixed
0591d6509c2ff13f09ea2998434aba0c0472e978
Fixed
e90346a2f1e8917d5760a44a1f61c44e3b36d96b
Fixed
ea3632aefc04205436868541638e26f4a74d5637
Fixed
6db8b56eed62baacaf37486e83378a72635c04cc

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43186.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.15.0
Fixed
5.15.202
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.165
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.128
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.75
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.16
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.6

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43186.json"