CRITICAL
ipv6 SIT InnerHeader UAF
CVE-2026-53228
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
KernelScan AI6.1MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: ipv6: sit: reload inner IPv6 header after GSO offloads ipip6_tunnel_xmit() caches the inner IPv6 header pointer at function entry and continues using it after iptunnel_handle_offloads(). For GSO skbs, iptunnel_handle_offloads() calls skb_header_unclone(). When the skb header is cloned, skb_header_unclone() can call pskb_expand_head(), which may move the skb head. The pskb_expand_head() contract requires pointers into the skb header to be reloaded after the call. If the later skb_realloc_headroom() branch is not taken, SIT uses the stale iph6 pointer to read the inner hop limit and DS field. That can read from a freed skb head after the old head's remaining clone is released. Reload iph6 after the offload helper succeeds and before subsequent reads from the inner IPv6 header. Keep the existing reload after skb_realloc_headroom(), since that branch can also replace the skb.
02KernelScan AI Analysis
Risk summary
A local user who can obtain CAP_NET_ADMIN (e.g., via user namespaces) can trigger a use-after-free read in the IPv6 SIT tunnel transmit path by sending GSO packets with cloned skb headers through a configured SIT tunnel. The stale inner IPv6 header pointer reads the hop limit and DS field from freed slab memory, which can leak a few bytes of kernel data and potentially cause a kernel panic.
Vulnerability analysis
The vulnerability is a use-after-free (stale pointer dereference) in ipip6_tunnel_xmit() in net/ipv6/sit.c. At function entry, a pointer iph6 is cached to the inner IPv6 header in the skb head. When iptunnel_handle_offloads() is called for GSO skbs, it invokes skb_header_unclone(), which may call pskb_expand_head() to allocate a new skb head buffer and free the old one. If the subsequent skb_realloc_headroom() branch is not taken, the code proceeds to read iph6->hop_limit and the DS field using the stale pointer, accessing memory that may have been freed. The fix adds a reload of iph6 = ipv6_hdr(skb) immediately after iptunnel_handle_offloads() succeeds. Exploitation requires CAP_NET_ADMIN to configure a SIT tunnel, which is achievable from an unprivileged user namespace on default kernels. The bug is a read-only UAF; there is no write primitive.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.259 | fddd41445a05 |
| 5.15 | 5.15.210 | 1132e5edc286 |
| 6.1 | 6.1.176 | 9c67b44edb35 |
| 6.12 | 6.12.94 | 59f80c919713 |
| 6.18 | 6.18.36 | 2fa49b2715e1 |
| 6.6 | 6.6.143 | 0bfa7bba1f41 |
| 7.0 | 7.0.13 | cb658c2f5f79 |
| mainline | 7.1 | f0e42f0c4337 |