CRITICAL Published 2026-05-06

net/ipv6 IOAM6 OOB

CVE-2026-43083

CVSS 9.1 / 10.0 NVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

KernelScan AI8.1HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: net: ioam6: fix OOB and missing lock When trace->type.bit6 is set: if (trace->type.bit6) { ... queue = skb_get_tx_queue(dev, skb); qdisc = rcu_dereference(queue->qdisc); This code can lead to an out-of-bounds access of the dev->_tx[] array when is_input is true. In such a case, the packet is on the RX path and skb->queue_mapping contains the RX queue index of the ingress device. If the ingress device has more RX queues than the egress device (dev) has TX queues, skb_get_queue_mapping(skb) will exceed dev->num_tx_queues. Add a check to avoid this situation since skb_get_tx_queue() does not clamp the index. This issue has also revealed that per queue visibility cannot be accurate and will be replaced later as a new feature. While at it, add missing lock around qdisc_qstats_qlen_backlog(). The function __ioam6_fill_trace_data() is called from both softirq and process contexts, hence the use of spin_lock_bh() here.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

Remote unauthenticated attackers can trigger an out-of-bounds array access in IPv6 IOAM queue depth processing by sending crafted IPv6 packets with IOAM trace data. When the packet is received on an ingress device with more RX queues than the egress device has TX queues, skb_get_tx_queue() indexes beyond the dev->_tx array. This can lead to information disclosure (kernel pointer or slab data leak) and kernel panic due to dereferencing an invalid qdisc pointer. Systems with IPv6 forwarding enabled and IOAM trace configuration are vulnerable.

Affectednet/ipv6/ioam6.c (IPv6 IOAM)

Vulnerability analysis

The root cause is in __ioam6_fill_trace_data() where skb_get_tx_queue() uses skb->queue_mapping as an array index into dev->_tx[] without bounds checking. When processing packets on the RX forwarding path (is_input=true), queue_mapping holds the ingress RX queue index, which may exceed the egress device's num_tx_queues. The fix adds a bounds check (skb_get_queue_mapping(skb) >= dev->num_tx_queues) and spin_lock_bh() protection around qdisc_qstats_qlen_backlog() because the function is called from both softirq and process contexts. The vulnerability is remotely exploitable over IPv6 as it is triggered by processing transit or received IPv6 packets containing IOAM trace options with bit6 set.

03Fix Versions

Branch	Fixed in	Patch commit
6.18	6.18.24	`6d1d9ed9b409`
6.19	6.19.14	`95a1334748c9`
mainline	7.0	`b30b1675aa2b`