CVE-2026-43037
CRITICAL EPSS 42.6%
Published May 1, 20261mo ago · Modified Jun 27, 20262d ago
9.8 CVSS 3.1
Published May 1, 2026 1mo ago
Last Modified Jun 27, 2026 2d ago
Description
In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: clear skb2->cb[] in ip4ip6_err() Oskar Kjos reported the following problem. ip4ip6_err() calls icmp_send() on a cloned skb whose cb[] was written by the IPv6 receive path as struct inet6_skb_parm. icmp_send() passes IPCB(skb2) to __ip_options_echo(), which interprets that cb[] region as struct inet_skb_parm (IPv4). The layouts differ: inet6_skb_parm.nhoff at offset 14 overlaps inet_skb_parm.opt.rr, producing a non-zero rr value. __ip_options_echo() then reads optlen from attacker-controlled packet data at sptr[rr+1] and copies that many bytes into dopt->__data, a fixed 40-byte stack buffer (IP_OPTIONS_DATA_FIXED_SIZE). To fix this we clear skb2->cb[], as suggested by Oskar Kjos. Also add minimal IPv4 header validation (version == 4, ihl >= 5).
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High
Threat Intelligence
EPSS Exploit Probability
42.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 2
CWE-787 Out-of-bounds Write Memory Safety
CWE-843
Affected Products 13
| Vendor | Product | Version | Range |
|---|---|---|---|
| linux | linux_kernel | * | ≥2.6.22 – <5.10.253 |
| linux | linux_kernel | * | ≥5.11 – <5.15.203 |
| linux | linux_kernel | * | ≥5.16 – <6.1.168 |
| linux | linux_kernel | * | ≥6.2 – <6.6.134 |
| linux | linux_kernel | * | ≥6.7 – <6.12.81 |
| linux | linux_kernel | * | ≥6.13 – <6.18.22 |
| linux | linux_kernel | * | ≥6.19 – <6.19.12 |
| linux | linux_kernel | 7.0 | any |
| linux | linux_kernel | 7.0 | any |
| linux | linux_kernel | 7.0 | any |
| linux | linux_kernel | 7.0 | any |
| linux | linux_kernel | 7.0 | any |
| linux | linux_kernel | 7.0 | any |
References 39
- access.redhat.com https://access.redhat.com/errata/RHSA-2026:22900
- access.redhat.com https://access.redhat.com/errata/RHSA-2026:22940
- access.redhat.com https://access.redhat.com/errata/RHSA-2026:22964
- access.redhat.com https://access.redhat.com/errata/RHSA-2026:23224
- access.redhat.com https://access.redhat.com/errata/RHSA-2026:23237
- access.redhat.com https://access.redhat.com/errata/RHSA-2026:24343
- access.redhat.com https://access.redhat.com/errata/RHSA-2026:25120
- access.redhat.com https://access.redhat.com/errata/RHSA-2026:25121
- access.redhat.com https://access.redhat.com/errata/RHSA-2026:25181
- access.redhat.com https://access.redhat.com/errata/RHSA-2026:25186
- access.redhat.com https://access.redhat.com/errata/RHSA-2026:25191
- access.redhat.com https://access.redhat.com/errata/RHSA-2026:25193
- access.redhat.com https://access.redhat.com/errata/RHSA-2026:25200
- access.redhat.com https://access.redhat.com/errata/RHSA-2026:25217
- access.redhat.com https://access.redhat.com/errata/RHSA-2026:25533
- access.redhat.com https://access.redhat.com/errata/RHSA-2026:25534
- access.redhat.com https://access.redhat.com/errata/RHSA-2026:26528
- access.redhat.com https://access.redhat.com/errata/RHSA-2026:26535
- access.redhat.com https://access.redhat.com/errata/RHSA-2026:26542
- access.redhat.com https://access.redhat.com/errata/RHSA-2026:27719
- access.redhat.com https://access.redhat.com/errata/RHSA-2026:27729
- access.redhat.com https://access.redhat.com/errata/RHSA-2026:28738
- access.redhat.com https://access.redhat.com/errata/RHSA-2026:28740
- access.redhat.com https://access.redhat.com/errata/RHSA-2026:28741
- access.redhat.com https://access.redhat.com/errata/RHSA-2026:28742
- access.redhat.com https://access.redhat.com/errata/RHSA-2026:28748
- access.redhat.com https://access.redhat.com/errata/RHSA-2026:28749
- access.redhat.com https://access.redhat.com/errata/RHSA-2026:28750
- access.redhat.com https://access.redhat.com/security/cve/CVE-2026-43037
- bugzilla.redhat.com https://bugzilla.redhat.com/show_bug.cgi?id=2464351
- git.kernel.org https://git.kernel.org/stable/c/1063515ce15ff31065c4e7f8265f4c2fd3c54876
- git.kernel.org https://git.kernel.org/stable/c/2cc6e3b0fe0f0242d1f530a93a4924f48ab85ba5
- git.kernel.org https://git.kernel.org/stable/c/2edfa31769a4add828a7e604b21cb82aaaa05925
- git.kernel.org https://git.kernel.org/stable/c/4a622658f384b03560834cbe8ffcfe69a278f7c8
- git.kernel.org https://git.kernel.org/stable/c/590f622669b97eaf7b57a1de7b0a6e68c5d8b2c3
- git.kernel.org https://git.kernel.org/stable/c/a0c4ce9900a108eaf55d0f3b399cb55999647d39
- git.kernel.org https://git.kernel.org/stable/c/d6621f60192fe10c047a4487be42a6f4c150707f
- git.kernel.org https://git.kernel.org/stable/c/ea9f65b27c8404e164848ebff1443310fd187629
- security.access.redhat.com https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-43037.json
Remediation
- git.kernel.org https://git.kernel.org/stable/c/1063515ce15ff31065c4e7f8265f4c2fd3c54876
- git.kernel.org https://git.kernel.org/stable/c/2cc6e3b0fe0f0242d1f530a93a4924f48ab85ba5
- git.kernel.org https://git.kernel.org/stable/c/2edfa31769a4add828a7e604b21cb82aaaa05925
- git.kernel.org https://git.kernel.org/stable/c/4a622658f384b03560834cbe8ffcfe69a278f7c8
- git.kernel.org https://git.kernel.org/stable/c/590f622669b97eaf7b57a1de7b0a6e68c5d8b2c3
- git.kernel.org https://git.kernel.org/stable/c/a0c4ce9900a108eaf55d0f3b399cb55999647d39
- git.kernel.org https://git.kernel.org/stable/c/d6621f60192fe10c047a4487be42a6f4c150707f
- git.kernel.org https://git.kernel.org/stable/c/ea9f65b27c8404e164848ebff1443310fd187629