2464397 – (CVE-2026-43038) CVE-2026-43038 kernel: ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach()

Bug 2464397 (CVE-2026-43038) - CVE-2026-43038 kernel: ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach()

Summary: CVE-2026-43038 kernel: ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unr...

Keywords:
Status:	NEW
Alias:	CVE-2026-43038
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-05-01 15:04 UTC by OSIDB Bzimport
Modified:	2026-06-17 09:18 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2026:22900	None	None	None	2026-06-03 15:19:26 UTC
Red Hat Product Errata	RHSA-2026:22940	None	None	None	2026-06-03 19:17:53 UTC
Red Hat Product Errata	RHSA-2026:22964	None	None	None	2026-06-04 15:45:52 UTC
Red Hat Product Errata	RHSA-2026:23224	None	None	None	2026-06-04 12:16:35 UTC
Red Hat Product Errata	RHSA-2026:23237	None	None	None	2026-06-04 10:22:44 UTC
Red Hat Product Errata	RHSA-2026:24343	None	None	None	2026-06-08 03:03:30 UTC
Red Hat Product Errata	RHSA-2026:25120	None	None	None	2026-06-10 20:00:22 UTC
Red Hat Product Errata	RHSA-2026:25121	None	None	None	2026-06-10 21:39:05 UTC
Red Hat Product Errata	RHSA-2026:25533	None	None	None	2026-06-12 19:51:49 UTC
Red Hat Product Errata	RHSA-2026:26535	None	None	None	2026-06-17 09:18:46 UTC

Description OSIDB Bzimport 2026-05-01 15:04:29 UTC

In the Linux kernel, the following vulnerability has been resolved:

ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach()

Sashiko AI-review observed:

  In ip6_err_gen_icmpv6_unreach(), the skb is an outer IPv4 ICMP error packet
  where its cb contains an IPv4 inet_skb_parm. When skb is cloned into skb2
  and passed to icmp6_send(), it uses IP6CB(skb2).

  IP6CB interprets the IPv4 inet_skb_parm as an inet6_skb_parm. The cipso
  offset in inet_skb_parm.opt directly overlaps with dsthao in inet6_skb_parm
  at offset 18.

  If an attacker sends a forged ICMPv4 error with a CIPSO IP option, dsthao
  would be a non-zero offset. Inside icmp6_send(), mip6_addr_swap() is called
  and uses ipv6_find_tlv(skb, opt->dsthao, IPV6_TLV_HAO).

  This would scan the inner, attacker-controlled IPv6 packet starting at that
  offset, potentially returning a fake TLV without checking if the remaining
  packet length can hold the full 18-byte struct ipv6_destopt_hao.

  Could mip6_addr_swap() then perform a 16-byte swap that extends past the end
  of the packet data into skb_shared_info?

  Should the cb array also be cleared in ip6_err_gen_icmpv6_unreach() and
  ip6ip6_err() to prevent this?

This patch implements the first suggestion.

I am not sure if ip6ip6_err() needs to be changed.
A separate patch would be better anyway.

Comment 1 Keith Grant 2026-05-01 17:54:08 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026050103-CVE-2026-43038-b591@gregkh/T

Comment 4 errata-xmlrpc 2026-06-03 15:19:25 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:22900 https://access.redhat.com/errata/RHSA-2026:22900

Comment 5 errata-xmlrpc 2026-06-03 19:17:52 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:22940 https://access.redhat.com/errata/RHSA-2026:22940

Comment 6 errata-xmlrpc 2026-06-04 10:22:43 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Update Services for SAP Solutions

Via RHSA-2026:23237 https://access.redhat.com/errata/RHSA-2026:23237

Comment 7 errata-xmlrpc 2026-06-04 12:16:34 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:23224 https://access.redhat.com/errata/RHSA-2026:23224

Comment 8 errata-xmlrpc 2026-06-04 15:45:51 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2026:22964 https://access.redhat.com/errata/RHSA-2026:22964

Comment 9 errata-xmlrpc 2026-06-08 03:03:29 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:24343 https://access.redhat.com/errata/RHSA-2026:24343

Comment 10 errata-xmlrpc 2026-06-10 20:00:20 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:25120 https://access.redhat.com/errata/RHSA-2026:25120

Comment 11 errata-xmlrpc 2026-06-10 21:39:04 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:25121 https://access.redhat.com/errata/RHSA-2026:25121

Comment 12 errata-xmlrpc 2026-06-12 19:51:48 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support Long-Life Add-On
  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support

Via RHSA-2026:25533 https://access.redhat.com/errata/RHSA-2026:25533

Comment 13 errata-xmlrpc 2026-06-17 09:18:44 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2026:26535 https://access.redhat.com/errata/RHSA-2026:26535

Note You need to log in before you can comment on or make changes to this bug.