Bug 2482061 (CVE-2026-46037)

Summary: CVE-2026-46037 kernel: ipv4: icmp: validate reply type before using icmp_pointers
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: rhel-process-autobot, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the Linux kernel, specifically within its IPv4 Internet Control Message Protocol (ICMP) component. This vulnerability occurs because the system does not properly check the type of ICMP replies before attempting to process them. An attacker could potentially exploit this by sending specially crafted extended echo replies, which might cause the system to access memory outside of its intended boundaries. This could lead to system instability, such as a crash, or potentially expose sensitive information.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-05-27 15:09:26 UTC
In the Linux kernel, the following vulnerability has been resolved:

ipv4: icmp: validate reply type before using icmp_pointers

Extended echo replies use ICMP_EXT_ECHOREPLY as the outbound reply type.
That value is outside the range covered by icmp_pointers[], which only
describes the traditional ICMP types up to NR_ICMP_TYPES.

Avoid consulting icmp_pointers[] for reply types outside that range, and
use array_index_nospec() for the remaining in-range lookup. Normal ICMP
replies keep their existing behavior unchanged.