{"id":"CVE-2026-43037","summary":"ip6_tunnel: clear skb2-\u003ecb[] in ip4ip6_err()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nip6_tunnel: clear skb2-\u003ecb[] in ip4ip6_err()\n\nOskar Kjos reported the following problem.\n\nip4ip6_err() calls icmp_send() on a cloned skb whose cb[] was written\nby the IPv6 receive path as struct inet6_skb_parm. icmp_send() passes\nIPCB(skb2) to __ip_options_echo(), which interprets that cb[] region\nas struct inet_skb_parm (IPv4). The layouts differ: inet6_skb_parm.nhoff\nat offset 14 overlaps inet_skb_parm.opt.rr, producing a non-zero rr\nvalue. __ip_options_echo() then reads optlen from attacker-controlled\npacket data at sptr[rr+1] and copies that many bytes into dopt-\u003e__data,\na fixed 40-byte stack buffer (IP_OPTIONS_DATA_FIXED_SIZE).\n\nTo fix this we clear skb2-\u003ecb[], as suggested by Oskar Kjos.\n\nAlso add minimal IPv4 header validation (version == 4, ihl \u003e= 5).","modified":"2026-06-19T08:29:26.430958439Z","published":"2026-05-01T14:15:35.314Z","related":["ALSA-2026:25120","ALSA-2026:25121","ALSA-2026:25191","ALSA-2026:25217","SUSE-SU-2026:21841-1","SUSE-SU-2026:21845-1","SUSE-SU-2026:21860-1","SUSE-SU-2026:21876-1","SUSE-SU-2026:21877-1","SUSE-SU-2026:21916-1","SUSE-SU-2026:21919-1","SUSE-SU-2026:2217-1","SUSE-SU-2026:2238-1","SUSE-SU-2026:2310-1","SUSE-SU-2026:2317-1","SUSE-SU-2026:2331-1","SUSE-SU-2026:2332-1","SUSE-SU-2026:2383-1","SUSE-SU-2026:2421-1","SUSE-SU-2026:2450-1","openSUSE-SU-2026:20826-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43037.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/1063515ce15ff31065c4e7f8265f4c2fd3c54876"},{"type":"WEB","url":"https://git.kernel.org/stable/c/2cc6e3b0fe0f0242d1f530a93a4924f48ab85ba5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/2edfa31769a4add828a7e604b21cb82aaaa05925"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4a622658f384b03560834cbe8ffcfe69a278f7c8"},{"type":"WEB","url":"https://git.kernel.org/stable/c/590f622669b97eaf7b57a1de7b0a6e68c5d8b2c3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a0c4ce9900a108eaf55d0f3b399cb55999647d39"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d6621f60192fe10c047a4487be42a6f4c150707f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ea9f65b27c8404e164848ebff1443310fd187629"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43037.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43037"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"c4d3efafcc933fd2ffd169d7dc4f980393a13796"},{"fixed":"ea9f65b27c8404e164848ebff1443310fd187629"},{"fixed":"d6621f60192fe10c047a4487be42a6f4c150707f"},{"fixed":"2cc6e3b0fe0f0242d1f530a93a4924f48ab85ba5"},{"fixed":"a0c4ce9900a108eaf55d0f3b399cb55999647d39"},{"fixed":"1063515ce15ff31065c4e7f8265f4c2fd3c54876"},{"fixed":"590f622669b97eaf7b57a1de7b0a6e68c5d8b2c3"},{"fixed":"4a622658f384b03560834cbe8ffcfe69a278f7c8"},{"fixed":"2edfa31769a4add828a7e604b21cb82aaaa05925"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43037.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.6.22"},{"fixed":"5.10.253"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.203"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.168"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.134"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.81"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.22"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.12"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43037.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}