HIGH Published 2026-05-27

net/ipv4 ICMP ArrayIndex OOB

CVE-2026-46037

CVSS 8.2 / 10.0 NVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

KernelScan AI8.6HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: ipv4: icmp: validate reply type before using icmp_pointers Extended echo replies use ICMP_EXT_ECHOREPLY as the outbound reply type. That value is outside the range covered by icmp_pointers[], which only describes the traditional ICMP types up to NR_ICMP_TYPES. Avoid consulting icmp_pointers[] for reply types outside that range, and use array_index_nospec() for the remaining in-range lookup. Normal ICMP replies keep their existing behavior unchanged.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

Remote attackers can trigger out-of-bounds array access in the IPv4 ICMP handler by sending extended echo reply packets with type values exceeding NR_ICMP_TYPES. This causes an out-of-bounds read from the icmp_pointers[] array, leaking kernel memory contents and potentially causing kernel crash via unmapped page access or corrupted pointer dereference in nf_ct_attach(). Systems processing any ICMP traffic are vulnerable.

Affectednet/ipv4/icmp.c (IPv4 ICMP)

Vulnerability analysis

The vulnerability occurs in icmp_glue_bits() where ICMP_EXT_ECHOREPLY packets (type value 160, outside NR_ICMP_TYPES range of 0-40) are used as an index into the icmp_pointers[] array without bounds checking. The original RFC 8335 PROBE support added extended echo functionality but failed to validate reply types before array access. The fix adds bounds checking (type <= NR_ICMP_TYPES) and uses array_index_nospec() to prevent speculative execution attacks on the remaining valid lookups. The out-of-bounds read accesses kernel slab memory beyond the array, and the resulting garbage 'error' field value causes nf_ct_attach() to be called with invalid parameters, leading to potential information disclosure and kernel instability.

03Fix Versions

Branch	Fixed in	Patch commit
5.15	5.15.209	`b3a88fc5ae02`
6.1	6.1.175	`93df2af4f491`
6.12	6.12.86	`bc64a66e0b9a`
6.18	6.18.27	`c2178ff1c70e`
6.6	6.6.140	`92e7c209036d`
7.0	7.0.4	`d700c34a5d18`
mainline	7.1-rc1	`67bf002a2d73`