ipv6: ioam: fix heap buffer overflow in __ioam6_fill_trace_data()_CVE-2026-43186

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

ipv6: ioam: fix heap buffer overflow in __ioam6_fill_trace_data()

On the receive path, __ioam6_fill_trace_data() uses trace->nodelen
to decide how much data to write for each node. It trusts this field
as-is from the incoming packet, with no consistency check against
trace->type (the 24-bit field that tells which data items are
present). A crafted packet can set nodelen=0 while setting type bits
0-21, causing the function to write ~100 bytes past the allocated
region (into skb_shared_info), which corrupts adjacent heap memory
and leads to a kernel panic.

Add a shared helper ioam6_trace_compute_nodelen() in ioam6.c to
derive the expected nodelen from the type field, and use it:

- in ioam6_iptunnel.c (send path, existing validation) to replace
the open-coded computation;
- in exthdrs.c (receive path, ipv6_hop_ioam) to drop packets whose
nodelen is inconsistent with the type field, before any data is
written.

Per RFC 9197, bits 12-21 are each short (4-octet) fields, so they
are included in IOAM6_MASK_SHORT_FIELDS (changed from 0xff100000 to
0xff1ffc00).

AI Analysis

Heap buffer overflow in the Linux kernel's __ioam6_fill_trace_data() function

Basic Information

ID CVE-2026-43186

Source Linux

Published May 6, 2026 at 11:27

Modified May 8, 2026 at 12:41

Affected Product

Vendor Linux

Product Linux

Version 9ee11f0fff205b4b3df9750bff5e94f97c71b6a0

Affected Versions Linux Linux 9ee11f0fff205b4b3df9750bff5e94f97c71b6a0
Linux Linux 9ee11f0fff205b4b3df9750bff5e94f97c71b6a0
Linux Linux 9ee11f0fff205b4b3df9750bff5e94f97c71b6a0
Linux Linux 9ee11f0fff205b4b3df9750bff5e94f97c71b6a0
Linux Linux 9ee11f0fff205b4b3df9750bff5e94f97c71b6a0
Linux Linux 9ee11f0fff205b4b3df9750bff5e94f97c71b6a0
Linux Linux 9ee11f0fff205b4b3df9750bff5e94f97c71b6a0
Linux Linux 5.15

AI Assessment

AI Score 9.8 / 10

AI Severity CRITICAL

Vendor Linux

Product Linux Kernel

Version 5.15

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: ioam: fix heap buffer overflow in __ioam6_fill_trace_data()\n\nOn the receive path, __ioam6_fill_trace_data() uses trace->nodelen\nto decide how much data to write for each node. It trusts this field\nas-is from the incoming packet, with no consistency check against\ntrace->type (the 24-bit field that tells which data items are\npresent). A crafted packet can set nodelen=0 while setting type bits\n0-21, causing the function to write ~100 bytes past the allocated\nregion (into skb_shared_info), which corrupts adjacent heap memory\nand leads to a kernel panic.\n\nAdd a shared helper ioam6_trace_compute_nodelen() in ioam6.c to\nderive the expected nodelen from the type field, and use it:\n\n  - in ioam6_iptunnel.c (send path, existing validation) to replace\n    the open-coded computation;\n  - in exthdrs.c (receive path, ipv6_hop_ioam) to drop packets whose\n    nodelen is inconsistent with the type field, before any data is\n    written.\n\nPer RFC 9197, bits 12-21 are each short (4-octet) fields, so they\nare included in IOAM6_MASK_SHORT_FIELDS (changed from 0xff100000 to\n0xff1ffc00).\n",
    "published": "2026-05-06T11:27:57.053Z",
    "modified": "2026-05-08T12:41:04.575Z",
    "type": "cve",
    "title": "ipv6: ioam: fix heap buffer overflow in __ioam6_fill_trace_data()",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/f4d9d4b8fd839719d564651671e24c62c545c23b\nhttps://git.kernel.org/stable/c/fb3c662fafebc5b9d74417ed1de8759f6bb72143\nhttps://git.kernel.org/stable/c/632d233cf2e64a46865ae2c064ae3c9df7c8864f\nhttps://git.kernel.org/stable/c/0591d6509c2ff13f09ea2998434aba0c0472e978\nhttps://git.kernel.org/stable/c/e90346a2f1e8917d5760a44a1f61c44e3b36d96b\nhttps://git.kernel.org/stable/c/ea3632aefc04205436868541638e26f4a74d5637\nhttps://git.kernel.org/stable/c/6db8b56eed62baacaf37486e83378a72635c04cc",
    "id": "CVE-2026-43186",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 9ee11f0fff205b4b3df9750bff5e94f97c71b6a0\nLinux Linux 9ee11f0fff205b4b3df9750bff5e94f97c71b6a0\nLinux Linux 9ee11f0fff205b4b3df9750bff5e94f97c71b6a0\nLinux Linux 9ee11f0fff205b4b3df9750bff5e94f97c71b6a0\nLinux Linux 9ee11f0fff205b4b3df9750bff5e94f97c71b6a0\nLinux Linux 9ee11f0fff205b4b3df9750bff5e94f97c71b6a0\nLinux Linux 9ee11f0fff205b4b3df9750bff5e94f97c71b6a0\nLinux Linux 5.15",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "9ee11f0fff205b4b3df9750bff5e94f97c71b6a0",
    "vendor": "Linux",
    "ai_description": "Heap buffer overflow in the Linux kernel's __ioam6_fill_trace_data() function",
    "ai_severity": "CRITICAL",
    "ai_vendor": "Linux",
    "ai_product": "Linux Kernel",
    "ai_version": "5.15",
    "ai_score": 9.8
}