HIGH
net/ipv6 IOAM Deref
CVE-2026-43101
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
KernelScan AI7.5HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: ipv6: ioam: fix potential NULL dereferences in __ioam6_fill_trace_data() We need to check __in6_dev_get() for possible NULL value, as suggested by Yiming Qian. Also add skb_dst_dev_rcu() instead of skb_dst_dev(), and two missing READ_ONCE(). Note that @dev can't be NULL.
02KernelScan AI Analysis
Risk summary
Remote attackers can crash systems with IPv6 IOAM enabled by sending crafted IPv6 packets with IOAM trace options. The vulnerability causes NULL pointer dereferences when processing IOAM data, leading to kernel panics and system unavailability. Systems with IPv6 connectivity are at risk.
Vulnerability analysis
The vulnerability exists in the IPv6 IOAM trace data processing function where __in6_dev_get() calls can return NULL but the code directly dereferences these pointers without validation. This occurs when accessing IPv6 device configuration for IOAM ID fields. The fix adds proper NULL checks and uses fallback values (IOAM6_U16_UNAVAILABLE / IOAM6_U32_UNAVAILABLE) when device configuration is unavailable. The attack surface is any IPv6-enabled system processing IOAM hop-by-hop options, reachable via crafted IPv6 extension headers. Note that IOAM processing requires the per-interface sysctl ioam6_enabled to be set to 1 (default is 0), so systems with default configuration are not affected.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.24 | 4198aab6f000 |
| 6.19 | 6.19.14 | 3719c234fa94 |
| mainline | 7.0 | 4e65a8b8daa1 |