{"id":"CVE-2026-53263","summary":"6lowpan: fix off-by-one in multicast context address compression","details":"In the Linux kernel, the following vulnerability has been resolved:\n\n6lowpan: fix off-by-one in multicast context address compression\n\nThe second memcpy in lowpan_iphc_mcast_ctx_addr_compress() uses\n&data[1] as destination and &ipaddr-\u003es6_addr[11] as source, but\nboth should be offset by one: &data[2] and &ipaddr-\u003es6_addr[12]\nrespectively.\n\nThis off-by-one has two consequences:\n1. data[1] is overwritten with s6_addr[11], corrupting the RIID\n   field in the compressed multicast address\n2. data[5] is never written, so uninitialized kernel stack memory\n   is transmitted over the network via lowpan_push_hc_data(),\n   leaking kernel stack contents\n\nThe correct inline data layout must match what the decompression\nfunction lowpan_uncompress_multicast_ctx_daddr() expects:\n  data[0..1] = s6_addr[1..2]  (flags/scope + RIID)\n  data[2..5] = s6_addr[12..15] (group ID)\n\nAlso zero-initialize the data array as a defensive measure against\nsimilar bugs in the future.","modified":"2026-06-27T12:02:21.197827265Z","published":"2026-06-25T08:39:51.215Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53263.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/06ce6fc106b16dec9b535950db626261be865e5b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/2a58899d11009bffc7b4b32a571858f381121837"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4485d79617520d84ba5a14515e2b5136007d6deb"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c32f30ef5e66adbfa102348e2e8a23776eb007cb"},{"type":"WEB","url":"https://git.kernel.org/stable/c/da8808463882c3f3c357b072e25053c2121f1419"},{"type":"WEB","url":"https://git.kernel.org/stable/c/da8cbb64b47e9066b40af0de170901caf17b768c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/dcb1bec1c32ee5c3878354e087cf5dbee2b7c7af"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f24a58c72a45f4c109f3557a760cc4b60b7a6037"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53263.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-53263"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"5609c185f24dffca5f6a9c127106869da150be03"},{"fixed":"f24a58c72a45f4c109f3557a760cc4b60b7a6037"},{"fixed":"da8cbb64b47e9066b40af0de170901caf17b768c"},{"fixed":"4485d79617520d84ba5a14515e2b5136007d6deb"},{"fixed":"06ce6fc106b16dec9b535950db626261be865e5b"},{"fixed":"dcb1bec1c32ee5c3878354e087cf5dbee2b7c7af"},{"fixed":"c32f30ef5e66adbfa102348e2e8a23776eb007cb"},{"fixed":"da8808463882c3f3c357b072e25053c2121f1419"},{"fixed":"2a58899d11009bffc7b4b32a571858f381121837"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-53263.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.6.0"},{"fixed":"5.10.259"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.210"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.176"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.143"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.94"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.36"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"7.0.13"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-53263.json"}}],"schema_version":"1.7.5"}