CVE 9.8 CRITICAL

ip6_tunnel: clear skb2->cb[] in ip4ip6_err()_CVE-2026-43037

May 3, 2026 invoker category_cve

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

ip6_tunnel: clear skb2->cb[] in ip4ip6_err()

Oskar Kjos reported the following problem.

ip4ip6_err() calls icmp_send() on a cloned skb whose cb[] was written
by the IPv6 receive path as struct inet6_skb_parm. icmp_send() passes
IPCB(skb2) to __ip_options_echo(), which interprets that cb[] region
as struct inet_skb_parm (IPv4). The layouts differ: inet6_skb_parm.nhoff
at offset 14 overlaps inet_skb_parm.opt.rr, producing a non-zero rr
value. __ip_options_echo() then reads optlen from attacker-controlled
packet data at sptr[rr+1] and copies that many bytes into dopt->__data,
a fixed 40-byte stack buffer (IP_OPTIONS_DATA_FIXED_SIZE).

To fix this we clear skb2->cb[], as suggested by Oskar Kjos.

Also add minimal IPv4 header validation (version == 4, ihl >= 5).

AI Analysis

A vulnerability in the Linux kernel's ip6_tunnel module allows an attacker to potentially execute arbitrary code or cause a denial-of-service condition by sending a crafted packet.

Basic Information

ID CVE-2026-43037

Source Linux

Published May 1, 2026 at 14:15

Modified May 3, 2026 at 05:46

Affected Product

Vendor Linux

Product Linux

Version c4d3efafcc933fd2ffd169d7dc4f980393a13796

Affected Versions Linux Linux c4d3efafcc933fd2ffd169d7dc4f980393a13796
Linux Linux c4d3efafcc933fd2ffd169d7dc4f980393a13796
Linux Linux c4d3efafcc933fd2ffd169d7dc4f980393a13796
Linux Linux c4d3efafcc933fd2ffd169d7dc4f980393a13796
Linux Linux c4d3efafcc933fd2ffd169d7dc4f980393a13796
Linux Linux c4d3efafcc933fd2ffd169d7dc4f980393a13796
Linux Linux c4d3efafcc933fd2ffd169d7dc4f980393a13796
Linux Linux c4d3efafcc933fd2ffd169d7dc4f980393a13796
Linux Linux 2.6.22

AI Assessment

AI Score 9.8 / 10

AI Severity Critical

Vendor The Linux Foundation

Product Linux Kernel

Version c4d3efafcc933fd2ffd169d7dc4f980393a13796

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nip6_tunnel: clear skb2->cb[] in ip4ip6_err()\n\nOskar Kjos reported the following problem.\n\nip4ip6_err() calls icmp_send() on a cloned skb whose cb[] was written\nby the IPv6 receive path as struct inet6_skb_parm. icmp_send() passes\nIPCB(skb2) to __ip_options_echo(), which interprets that cb[] region\nas struct inet_skb_parm (IPv4). The layouts differ: inet6_skb_parm.nhoff\nat offset 14 overlaps inet_skb_parm.opt.rr, producing a non-zero rr\nvalue. __ip_options_echo() then reads optlen from attacker-controlled\npacket data at sptr[rr+1] and copies that many bytes into dopt->__data,\na fixed 40-byte stack buffer (IP_OPTIONS_DATA_FIXED_SIZE).\n\nTo fix this we clear skb2->cb[], as suggested by Oskar Kjos.\n\nAlso add minimal IPv4 header validation (version == 4, ihl >= 5).",
    "published": "2026-05-01T14:15:35.314Z",
    "modified": "2026-05-03T05:46:16.322Z",
    "type": "cve",
    "title": "ip6_tunnel: clear skb2->cb[] in ip4ip6_err()",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/ea9f65b27c8404e164848ebff1443310fd187629\nhttps://git.kernel.org/stable/c/d6621f60192fe10c047a4487be42a6f4c150707f\nhttps://git.kernel.org/stable/c/2cc6e3b0fe0f0242d1f530a93a4924f48ab85ba5\nhttps://git.kernel.org/stable/c/a0c4ce9900a108eaf55d0f3b399cb55999647d39\nhttps://git.kernel.org/stable/c/1063515ce15ff31065c4e7f8265f4c2fd3c54876\nhttps://git.kernel.org/stable/c/590f622669b97eaf7b57a1de7b0a6e68c5d8b2c3\nhttps://git.kernel.org/stable/c/4a622658f384b03560834cbe8ffcfe69a278f7c8\nhttps://git.kernel.org/stable/c/2edfa31769a4add828a7e604b21cb82aaaa05925",
    "id": "CVE-2026-43037",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux c4d3efafcc933fd2ffd169d7dc4f980393a13796\nLinux Linux c4d3efafcc933fd2ffd169d7dc4f980393a13796\nLinux Linux c4d3efafcc933fd2ffd169d7dc4f980393a13796\nLinux Linux c4d3efafcc933fd2ffd169d7dc4f980393a13796\nLinux Linux c4d3efafcc933fd2ffd169d7dc4f980393a13796\nLinux Linux c4d3efafcc933fd2ffd169d7dc4f980393a13796\nLinux Linux c4d3efafcc933fd2ffd169d7dc4f980393a13796\nLinux Linux c4d3efafcc933fd2ffd169d7dc4f980393a13796\nLinux Linux 2.6.22",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "c4d3efafcc933fd2ffd169d7dc4f980393a13796",
    "vendor": "Linux",
    "ai_description": "A vulnerability in the Linux kernel's ip6_tunnel module allows an attacker to potentially execute arbitrary code or cause a denial-of-service condition by sending a crafted packet.",
    "ai_severity": "Critical",
    "ai_vendor": "The Linux Foundation",
    "ai_product": "Linux Kernel",
    "ai_version": "c4d3efafcc933fd2ffd169d7dc4f980393a13796",
    "ai_score": 9.8
}

💭 Join the Security Discussion ❌ Cancel Reply