{"id":"CVE-2026-43038","summary":"ipv6: icmp: clear skb2-\u003ecb[] in ip6_err_gen_icmpv6_unreach()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: icmp: clear skb2-\u003ecb[] in ip6_err_gen_icmpv6_unreach()\n\nSashiko AI-review observed:\n\n  In ip6_err_gen_icmpv6_unreach(), the skb is an outer IPv4 ICMP error packet\n  where its cb contains an IPv4 inet_skb_parm. When skb is cloned into skb2\n  and passed to icmp6_send(), it uses IP6CB(skb2).\n\n  IP6CB interprets the IPv4 inet_skb_parm as an inet6_skb_parm. The cipso\n  offset in inet_skb_parm.opt directly overlaps with dsthao in inet6_skb_parm\n  at offset 18.\n\n  If an attacker sends a forged ICMPv4 error with a CIPSO IP option, dsthao\n  would be a non-zero offset. Inside icmp6_send(), mip6_addr_swap() is called\n  and uses ipv6_find_tlv(skb, opt-\u003edsthao, IPV6_TLV_HAO).\n\n  This would scan the inner, attacker-controlled IPv6 packet starting at that\n  offset, potentially returning a fake TLV without checking if the remaining\n  packet length can hold the full 18-byte struct ipv6_destopt_hao.\n\n  Could mip6_addr_swap() then perform a 16-byte swap that extends past the end\n  of the packet data into skb_shared_info?\n\n  Should the cb array also be cleared in ip6_err_gen_icmpv6_unreach() and\n  ip6ip6_err() to prevent this?\n\nThis patch implements the first suggestion.\n\nI am not sure if ip6ip6_err() needs to be changed.\nA separate patch would be better anyway.","modified":"2026-06-19T08:29:32.000870065Z","published":"2026-05-01T14:15:35.986Z","related":["ALSA-2026:25120","ALSA-2026:25121","SUSE-SU-2026:21841-1","SUSE-SU-2026:21845-1","SUSE-SU-2026:21860-1","SUSE-SU-2026:21876-1","SUSE-SU-2026:21877-1","SUSE-SU-2026:21916-1","SUSE-SU-2026:21919-1","SUSE-SU-2026:2195-1","SUSE-SU-2026:2217-1","SUSE-SU-2026:2238-1","SUSE-SU-2026:2450-1","openSUSE-SU-2026:20826-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43038.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0452b6526b2f54b2413b9cb4ff1ea2ac542c99c7"},{"type":"WEB","url":"https://git.kernel.org/stable/c/1ceeebd5bd6d855b17a5df625109bfe29129d7cf"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3d5127d998de617b130aae96b138dba22ac6a8a7"},{"type":"WEB","url":"https://git.kernel.org/stable/c/86ab3e55673a7a49a841838776f1ab18d23a67b5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a2edbb6393972a02114b6003953a5cef3104fada"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a4437faf135da293d16fcc4cc607316742bd0ebb"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c438ba010171b70bad22fc18b1d5bdc3627476e8"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e41953e7d118e2702bcb217879c173d9d1d3cd4e"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43038.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43038"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"ca15a078bd907df5fc1c009477869c5cbde3b753"},{"fixed":"c438ba010171b70bad22fc18b1d5bdc3627476e8"},{"fixed":"0452b6526b2f54b2413b9cb4ff1ea2ac542c99c7"},{"fixed":"a4437faf135da293d16fcc4cc607316742bd0ebb"},{"fixed":"3d5127d998de617b130aae96b138dba22ac6a8a7"},{"fixed":"e41953e7d118e2702bcb217879c173d9d1d3cd4e"},{"fixed":"a2edbb6393972a02114b6003953a5cef3104fada"},{"fixed":"1ceeebd5bd6d855b17a5df625109bfe29129d7cf"},{"fixed":"86ab3e55673a7a49a841838776f1ab18d23a67b5"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43038.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"3.13.0"},{"fixed":"5.10.253"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.203"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.168"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.134"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.81"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.22"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.12"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43038.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}