CRITICAL Published 2026-05-08

net/ipv6 IOAM6 Overflow

CVE-2026-43341

CVSS 9.8 / 10.0 NVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

KernelScan AI9.1CRITICAL

01Description

In the Linux kernel, the following vulnerability has been resolved: net/ipv6: ioam6: prevent schema length wraparound in trace fill ioam6_fill_trace_data() stores the schema contribution to the trace length in a u8. With bit 22 enabled and the largest schema payload, sclen becomes 1 + 1020 / 4, wraps from 256 to 0, and bypasses the remaining-space check. __ioam6_fill_trace_data() then positions the write cursor without reserving the schema area but still copies the 4-byte schema header and the full schema payload, overrunning the trace buffer. Keep sclen in an unsigned int so the remaining-space check and the write cursor calculation both see the full schema length.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

An integer wraparound in the IPv6 IOAM6 trace data path leads to a heap buffer overflow when processing IPv6 packets on systems configured with a large schema and bit 22 enabled. A remote, unauthenticated attacker can trigger this overflow to corrupt kernel memory, potentially leading to code execution or system crashes on systems with IPv6 and IOAM6 enabled.

Affectednet/ipv6/ioam6.c (IPv6 IOAM6 subsystem)

Vulnerability analysis

The vulnerability occurs in ioam6_fill_trace_data() where the schema length contribution is stored in a u8 variable. With bit 22 enabled and the maximum schema payload of 1020 bytes, the calculation 1 + 1020/4 = 256 overflows the u8 range and wraps to 0, bypassing the remaining-space check. __ioam6_fill_trace_data() then positions the write cursor without reserving the schema area but still copies the 4-byte schema header and the full schema payload, resulting in an out-of-bounds write beyond the trace buffer. The fix changes sclen to unsigned int so the bounds check and cursor calculation both use the true length. Exploitation requires IPv6 IOAM6 to be configured with a vulnerable schema, but the overflow can be triggered by remote IPv6 packets without privileges or user interaction.

03Fix Versions

Branch	Fixed in	Patch commit
6.1	6.1.168	`e96d48b37708`
6.12	6.12.81	`77695a69baca`
6.18	6.18.22	`184d2e9db27c`
6.19	6.19.12	`d6e1c9b02d85`
6.6	6.6.134	`d1b041080086`
mainline	7.0	`5e67ba9bb531`