HIGH
net/ipv6 NDISC Leak
CVE-2026-43040
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
KernelScan AI4.0MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: net: ipv6: ndisc: fix ndisc_ra_useropt to initialize nduseropt_padX fields to zero to prevent an info-leak When processing Router Advertisements with user options the kernel builds an RTM_NEWNDUSEROPT netlink message. The nduseroptmsg struct has three padding fields that are never zeroed and can leak kernel data The fix is simple, just zeroes the padding fields.
02KernelScan AI Analysis
Risk summary
Unprivileged local processes can obtain residual kernel memory contents through uninitialized padding fields in IPv6 Router Advertisement netlink messages. The leak is limited to a small number of bytes per message, but may contain heap or stack data useful for bypassing kernel ASLR.
Vulnerability analysis
The ndisc_ra_useropt function builds an RTM_NEWNDUSEROPT rtnetlink message when processing IPv6 Router Advertisements that contain user options. The nduseroptmsg structure includes three padding fields (nduseropt_pad1, nduseropt_pad2, nduseropt_pad3) that were never explicitly initialized, causing leftover kernel memory contents to be copied into the message payload. Any local process listening on the appropriate NETLINK_ROUTE multicast group receives these messages and can read the leaked kernel data. The fix zeros the padding fields before the message is transmitted. Exploitation does not require the attacker to trigger the Router Advertisement themselves; passive reception of legitimately generated RAs is sufficient to capture leaked bytes.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.253 | 1da9023f6b07 |
| 5.15 | 5.15.203 | 2fe4d0ba690a |
| 6.1 | 6.1.168 | 11d7fe97421c |
| 6.12 | 6.12.81 | 4f810c686fde |
| 6.18 | 6.18.22 | b485eef3d97b |
| 6.19 | 6.19.12 | ef3645606e4a |
| 6.6 | 6.6.134 | 7f56d87e527b |
| mainline | 7.0 | ae05340ccaa9 |