2468097 – (CVE-2026-43341) CVE-2026-43341 kernel: net/ipv6: ioam6: prevent schema length wraparound in trace fill

Bug 2468097 (CVE-2026-43341) - CVE-2026-43341 kernel: net/ipv6: ioam6: prevent schema length wraparound in trace fill

Summary: CVE-2026-43341 kernel: net/ipv6: ioam6: prevent schema length wraparound in t...

Keywords:
Status:	NEW
Alias:	CVE-2026-43341
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-05-08 14:04 UTC by OSIDB Bzimport
Modified:	2026-05-08 19:26 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-05-08 14:04:20 UTC

In the Linux kernel, the following vulnerability has been resolved:

net/ipv6: ioam6: prevent schema length wraparound in trace fill

ioam6_fill_trace_data() stores the schema contribution to the trace
length in a u8. With bit 22 enabled and the largest schema payload,
sclen becomes 1 + 1020 / 4, wraps from 256 to 0, and bypasses the
remaining-space check. __ioam6_fill_trace_data() then positions the
write cursor without reserving the schema area but still copies the
4-byte schema header and the full schema payload, overrunning the trace
buffer.

Keep sclen in an unsigned int so the remaining-space check and the write
cursor calculation both see the full schema length.

Comment 1 Keith Grant 2026-05-08 19:22:19 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026050824-CVE-2026-43341-7c3e@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.