CVE-2026-53263

In the Linux kernel, the following vulnerability has been resolved:

6lowpan: fix off-by-one in multicast context address compression

The second memcpy in lowpaniphcmcastctxaddrcompress() uses &data[1] as destination and &ipaddr->s6addr[11] as source, but both should be offset by one: &data[2] and &ipaddr->s6_addr[12] respectively.

This off-by-one has two consequences: 1. data[1] is overwritten with s6addr[11], corrupting the RIID field in the compressed multicast address 2. data[5] is never written, so uninitialized kernel stack memory is transmitted over the network via lowpanpushhcdata(), leaking kernel stack contents

The correct inline data layout must match what the decompression function lowpanuncompressmulticastctxdaddr() expects: data[0..1] = s6addr[1..2] (flags/scope + RIID) data[2..5] = s6addr[12..15] (group ID)

Also zero-initialize the data array as a defensive measure against similar bugs in the future.