CRITICAL Published 2026-05-01

ip6_tunnel IPv4 Error Buffer Overflow

CVE-2026-43037

CVSS 9.8 / 10.0 NVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

KernelScan AI9.8CRITICAL

01Description

In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: clear skb2->cb[] in ip4ip6_err() Oskar Kjos reported the following problem. ip4ip6_err() calls icmp_send() on a cloned skb whose cb[] was written by the IPv6 receive path as struct inet6_skb_parm. icmp_send() passes IPCB(skb2) to __ip_options_echo(), which interprets that cb[] region as struct inet_skb_parm (IPv4). The layouts differ: inet6_skb_parm.nhoff at offset 14 overlaps inet_skb_parm.opt.rr, producing a non-zero rr value. __ip_options_echo() then reads optlen from attacker-controlled packet data at sptr[rr+1] and copies that many bytes into dopt->__data, a fixed 40-byte stack buffer (IP_OPTIONS_DATA_FIXED_SIZE). To fix this we clear skb2->cb[], as suggested by Oskar Kjos. Also add minimal IPv4 header validation (version == 4, ihl >= 5).

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

A critical buffer overflow vulnerability in IPv6 tunnel error handling allows remote attackers to overflow a 40-byte stack buffer by sending specially crafted IPv4-over-IPv6 tunnel packets. The vulnerability stems from improper handling of socket control buffers between IPv4 and IPv6 code paths, enabling attackers to control the amount of data copied to a fixed-size stack buffer. This could lead to kernel memory corruption, denial of service, or potentially code execution.

Affectednet/ipv6/ip6_tunnel.c

Vulnerability analysis

Root Cause: The ip4ip6_err() function in IPv6 tunneling code fails to clear the socket control buffer (skb->cb[]) when processing IPv4-over-IPv6 tunnel error messages. The cb[] region was previously written by the IPv6 receive path as struct inet6_skb_parm, but icmp_send() interprets it as struct inet_skb_parm (IPv4). Due to different struct layouts, inet6_skb_parm.nhoff at offset 14 overlaps with inet_skb_parm.opt.rr, creating a non-zero record route value. This causes __ip_options_echo() to read an attacker-controlled optlen value from packet data and copy that many bytes into a fixed 40-byte stack buffer.

Attack Surface: This vulnerability affects IPv6 tunnel endpoints that process IPv4-over-IPv6 encapsulated traffic. An attacker can trigger this by sending malformed IPv4 packets encapsulated in IPv6 tunnels that cause ICMP error generation. The attack requires network access to reach the tunnel endpoint but does not require authentication or special privileges.

Fix Mechanism: The patch clears the skb2->cb[] buffer using memset() before passing it to icmp_send(), ensuring the IPv4 control block starts with clean state. Additionally, it adds minimal IPv4 header validation by checking that the version field equals 4 and the Internet Header Length (ihl) is at least 5 (20 bytes minimum).

03Fix Versions

Branch	Fixed in	Patch commit
5.10	5.10.253	`ea9f65b27c84`
5.15	5.15.203	`d6621f60192f`
6.1	6.1.168	`2cc6e3b0fe0f`
6.12	6.12.81	`1063515ce15f`
6.18	6.18.22	`590f622669b9`
6.19	6.19.12	`4a622658f384`
6.6	6.6.134	`a0c4ce9900a1`
mainline	7.0	`2edfa31769a4`