{"id":"CVE-2026-43186","summary":"ipv6: ioam: fix heap buffer overflow in __ioam6_fill_trace_data()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: ioam: fix heap buffer overflow in __ioam6_fill_trace_data()\n\nOn the receive path, __ioam6_fill_trace_data() uses trace-\u003enodelen\nto decide how much data to write for each node. It trusts this field\nas-is from the incoming packet, with no consistency check against\ntrace-\u003etype (the 24-bit field that tells which data items are\npresent). A crafted packet can set nodelen=0 while setting type bits\n0-21, causing the function to write ~100 bytes past the allocated\nregion (into skb_shared_info), which corrupts adjacent heap memory\nand leads to a kernel panic.\n\nAdd a shared helper ioam6_trace_compute_nodelen() in ioam6.c to\nderive the expected nodelen from the type field, and use it:\n\n  - in ioam6_iptunnel.c (send path, existing validation) to replace\n    the open-coded computation;\n  - in exthdrs.c (receive path, ipv6_hop_ioam) to drop packets whose\n    nodelen is inconsistent with the type field, before any data is\n    written.\n\nPer RFC 9197, bits 12-21 are each short (4-octet) fields, so they\nare included in IOAM6_MASK_SHORT_FIELDS (changed from 0xff100000 to\n0xff1ffc00).","modified":"2026-06-18T03:55:39.022702993Z","published":"2026-05-06T11:27:57.053Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43186.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0591d6509c2ff13f09ea2998434aba0c0472e978"},{"type":"WEB","url":"https://git.kernel.org/stable/c/632d233cf2e64a46865ae2c064ae3c9df7c8864f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6db8b56eed62baacaf37486e83378a72635c04cc"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e90346a2f1e8917d5760a44a1f61c44e3b36d96b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ea3632aefc04205436868541638e26f4a74d5637"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f4d9d4b8fd839719d564651671e24c62c545c23b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/fb3c662fafebc5b9d74417ed1de8759f6bb72143"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43186.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43186"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"9ee11f0fff205b4b3df9750bff5e94f97c71b6a0"},{"fixed":"f4d9d4b8fd839719d564651671e24c62c545c23b"},{"fixed":"fb3c662fafebc5b9d74417ed1de8759f6bb72143"},{"fixed":"632d233cf2e64a46865ae2c064ae3c9df7c8864f"},{"fixed":"0591d6509c2ff13f09ea2998434aba0c0472e978"},{"fixed":"e90346a2f1e8917d5760a44a1f61c44e3b36d96b"},{"fixed":"ea3632aefc04205436868541638e26f4a74d5637"},{"fixed":"6db8b56eed62baacaf37486e83378a72635c04cc"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43186.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.15.0"},{"fixed":"5.15.202"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.165"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.128"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.75"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.16"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.6"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43186.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}