HIGH
net/ipv6 AddrConf UAF
CVE-2026-43339
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI5.7MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent possible UaF in addrconf_permanent_addr() The mentioned helper try to warn the user about an exceptional condition, but the message is delivered too late, accessing the ipv6 after its possible deletion. Reorder the statement to avoid the possible UaF; while at it, place the warning outside the idev->lock as it needs no protection.
02KernelScan AI Analysis
Risk summary
A use-after-free vulnerability in IPv6 address configuration can lead to kernel memory corruption when permanent address setup fails. This affects systems with IPv6 enabled where network interface operations trigger the vulnerable code path. Exploitation requires elevated privileges but could result in kernel crashes or code execution.
Vulnerability analysis
The vulnerability occurs in addrconf_permanent_addr() where a warning message accesses an IPv6 address structure (ifp->addr) after calling ipv6_del_addr(ifp), which may have freed the structure. This creates a use-after-free condition that could lead to memory corruption. The fix reorders operations to print the warning before deletion and moves it outside the lock. The attack surface is limited to systems with IPv6 enabled and requires privileges to manipulate network interfaces, but successful exploitation could achieve arbitrary kernel code execution.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.253 | eec49a33611f |
| 5.15 | 5.15.203 | bacc7f31085c |
| 6.1 | 6.1.168 | 7bfafa1b0cd5 |
| 6.12 | 6.12.81 | 25357b670afb |
| 6.18 | 6.18.22 | 3cd4efb5df72 |
| 6.19 | 6.19.12 | 2d88ed7fa000 |
| 6.6 | 6.6.134 | 7d9f2f4aabd1 |
| mainline | 7.0 | fd63f185979b |