{"id":"CVE-2026-43341","summary":"net/ipv6: ioam6: prevent schema length wraparound in trace fill","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/ipv6: ioam6: prevent schema length wraparound in trace fill\n\nioam6_fill_trace_data() stores the schema contribution to the trace\nlength in a u8. With bit 22 enabled and the largest schema payload,\nsclen becomes 1 + 1020 / 4, wraps from 256 to 0, and bypasses the\nremaining-space check. __ioam6_fill_trace_data() then positions the\nwrite cursor without reserving the schema area but still copies the\n4-byte schema header and the full schema payload, overrunning the trace\nbuffer.\n\nKeep sclen in an unsigned int so the remaining-space check and the write\ncursor calculation both see the full schema length.","modified":"2026-07-03T18:29:36.641737166Z","published":"2026-05-08T13:37:19.256Z","related":["SUSE-SU-2026:22048-1","SUSE-SU-2026:22076-1","SUSE-SU-2026:22087-1","SUSE-SU-2026:22108-1","SUSE-SU-2026:22137-1","SUSE-SU-2026:22433-1","SUSE-SU-2026:2482-1","SUSE-SU-2026:2591-1","openSUSE-SU-2026:20912-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43341.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/184d2e9db27c0f76226b5cad16fe29510a5d2280"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5e67ba9bb531e1ec6599a82a065dea9040b9ce50"},{"type":"WEB","url":"https://git.kernel.org/stable/c/77695a69baca9b99d95fad09fc78c2318736604f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d1b041080086e91d3733a5438a8c51ad5d3d8e09"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d3a1fb2ca323d7a4e10ab3afbfa25e6d8921e4f2"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d6e1c9b02d85a4f1f4ba6d68e916d9b610a3ed7d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e96d48b37708d53cbdc47f6f60b0714fc4a5f596"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43341.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43341"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"8c6f6fa6772696be0c047a711858084b38763728"},{"fixed":"d3a1fb2ca323d7a4e10ab3afbfa25e6d8921e4f2"},{"fixed":"e96d48b37708d53cbdc47f6f60b0714fc4a5f596"},{"fixed":"d1b041080086e91d3733a5438a8c51ad5d3d8e09"},{"fixed":"77695a69baca9b99d95fad09fc78c2318736604f"},{"fixed":"184d2e9db27c0f76226b5cad16fe29510a5d2280"},{"fixed":"d6e1c9b02d85a4f1f4ba6d68e916d9b610a3ed7d"},{"fixed":"5e67ba9bb531e1ec6599a82a065dea9040b9ce50"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43341.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.15.0"},{"fixed":"5.15.210"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.168"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.134"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.81"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.22"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.12"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43341.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}