ipv6: Fix signed integer overflow in l2tp_ip6_sendmsg
Description
A signed integer overflow in l2tp_ip6_sendmsg in the Linux kernel could lead to memory corruption or system crash.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A signed integer overflow in l2tp_ip6_sendmsg in the Linux kernel could lead to memory corruption or system crash.
Vulnerability
A signed integer overflow exists in the l2tp_ip6_sendmsg function in the Linux kernel's IPv6 L2TP implementation. When the len parameter is greater than or equal to INT_MAX - transhdrlen, the calculation ulen = len + transhdrlen overflows, resulting in a small positive or negative value. This can lead to incorrect memory allocation and subsequent buffer overflow. The affected versions are those prior to the fix commits [1] and [2].
Exploitation
An attacker would need to be able to send L2TP packets over IPv6, which typically requires local user access or the ability to create raw sockets. The attacker would craft a message with a length that triggers the overflow, causing the kernel to allocate an undersized buffer and then copy more data than allocated, leading to memory corruption.
Impact
Successful exploitation could result in a denial of service (system crash) or, if carefully controlled, arbitrary code execution in kernel context. The exact impact depends on the memory layout and the attacker's ability to control the overflowed data.
Mitigation
The fix was applied in the Linux kernel stable branches via commits [1] and [2]. Users should update to a kernel version containing these commits. No workaround is available; the only mitigation is to apply the patch.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
10- osv-coords8 versionspkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Live%20Patching%2012%20SP5pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSSpkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5pkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSSpkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5pkg:rpm/suse/kernel-syms&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSSpkg:rpm/suse/kernel-syms&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5pkg:rpm/suse/kgraft-patch-SLE12-SP5_Update_67&distro=SUSE%20Linux%20Enterprise%20Live%20Patching%2012%20SP5
< 4.12.14-122.255.1+ 7 more
- (no CPE)range: < 4.12.14-122.255.1
- (no CPE)range: < 4.12.14-122.255.1
- (no CPE)range: < 4.12.14-122.255.1
- (no CPE)range: < 4.12.14-122.255.1
- (no CPE)range: < 4.12.14-122.255.1
- (no CPE)range: < 4.12.14-122.255.1
- (no CPE)range: < 4.12.14-122.255.1
- (no CPE)range: < 1-8.5.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/034246122f5c5e2e2a0b9fe04e24517920e9beb1mitre
- git.kernel.org/stable/c/0e818d433fc2718fe4da044ffca7431812a7e04emitre
- git.kernel.org/stable/c/27a37755ceb401111ded76810359d3adc4b268a1mitre
- git.kernel.org/stable/c/2cf73c7cb6125083408d77f43d0e84d86aed0000mitre
- git.kernel.org/stable/c/2f42389d270f2304c8855b0b63498a5a4d0c053dmitre
- git.kernel.org/stable/c/6c4e3486d21173d60925ef52e512cae727b43d30mitre
- git.kernel.org/stable/c/b8879ca1fd7348b4d5db7db86dcb97f60c73d751mitre
- git.kernel.org/stable/c/f638a84afef3dfe10554c51820c16e39a278c915mitre
News mentions
0No linked articles in our index yet.