Bug 2467013 (CVE-2026-43083) - CVE-2026-43083 kernel: net: ioam6: fix OOB and missing lock
Summary: CVE-2026-43083 kernel: net: ioam6: fix OOB and missing lock
Keywords:
Status: NEW
Alias: CVE-2026-43083
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-06 10:03 UTC by OSIDB Bzimport
Modified: 2026-05-06 13:56 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-06 10:03:10 UTC 
In the Linux kernel, the following vulnerability has been resolved:

net: ioam6: fix OOB and missing lock

When trace->type.bit6 is set:

    if (trace->type.bit6) {
        ...
        queue = skb_get_tx_queue(dev, skb);
        qdisc = rcu_dereference(queue->qdisc);

This code can lead to an out-of-bounds access of the dev->_tx[] array
when is_input is true. In such a case, the packet is on the RX path and
skb->queue_mapping contains the RX queue index of the ingress device. If
the ingress device has more RX queues than the egress device (dev) has
TX queues, skb_get_queue_mapping(skb) will exceed dev->num_tx_queues.
Add a check to avoid this situation since skb_get_tx_queue() does not
clamp the index. This issue has also revealed that per queue visibility
cannot be accurate and will be replaced later as a new feature.

While at it, add missing lock around qdisc_qstats_qlen_backlog(). The
function __ioam6_fill_trace_data() is called from both softirq and
process contexts, hence the use of spin_lock_bh() here.
Comment 1 Alexander B 2026-05-06 13:53:04 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026050615-CVE-2026-43083-c69b@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.