Critical severity9.8NVD Advisory· Published May 1, 2026· Updated May 4, 2026
CVE-2026-43037
CVE-2026-43037
Description
In the Linux kernel, the following vulnerability has been resolved:
ip6_tunnel: clear skb2->cb[] in ip4ip6_err()
Oskar Kjos reported the following problem.
ip4ip6_err() calls icmp_send() on a cloned skb whose cb[] was written by the IPv6 receive path as struct inet6_skb_parm. icmp_send() passes IPCB(skb2) to __ip_options_echo(), which interprets that cb[] region as struct inet_skb_parm (IPv4). The layouts differ: inet6_skb_parm.nhoff at offset 14 overlaps inet_skb_parm.opt.rr, producing a non-zero rr value. __ip_options_echo() then reads optlen from attacker-controlled packet data at sptr[rr+1] and copies that many bytes into dopt->__data, a fixed 40-byte stack buffer (IP_OPTIONS_DATA_FIXED_SIZE).
To fix this we clear skb2->cb[], as suggested by Oskar Kjos.
Also add minimal IPv4 header validation (version == 4, ihl >= 5).
Affected products
8cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 6 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=2.6.22,<5.10.253
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
News mentions
47- Fragnesia (CVE-2026-46300): Frequently asked questions about new Linux Kernel XFRM ESP-in-TCP privilege escalationTenable Blog · May 14, 2026
- Fragnesia: New Linux kernel LPE bug was spawned by Dirty Frag patch (CVE-2026-46300)Help Net Security · May 14, 2026
- New Linux Kernel Vulnerability Fragnesia Allows Root Privilege EscalationSecurityWeek · May 14, 2026
- Dirty Frag gets a sequel as Fragnesia hands Linux attackers root-level accessThe Register Security · May 14, 2026
- New Fragnesia Linux flaw lets attackers gain root privilegesBleepingComputer · May 14, 2026
- New Fragnesia Linux Kernel LPE Grants Root Access via Page Cache CorruptionThe Hacker News · May 14, 2026
- Welcome to the vulnpocalypse, as vendors use AI to find bugs and patches multiply like rabbitsThe Register Security · May 13, 2026
- When IT Support Calls: Dissecting a ModeloRAT Campaign from Teams to Domain CompromiseRapid7 Blog · May 13, 2026
- Patch Tuesday - May 2026Rapid7 Blog · May 13, 2026
- Microsoft Patch Tuesday for May 2026 — Snort rules and prominent vulnerabilitiesCisco Talos Intelligence · May 12, 2026
- Microsoft May 2026 Patch Tuesday, (Tue, May 12th)SANS Internet Storm Center · May 12, 2026
- Microsoft’s May 2026 Patch Tuesday Addresses 118 CVEs (CVE-2026-41103)Tenable Blog · May 12, 2026
- When "idle" isn't idle: how a Linux kernel optimization became a QUIC bugCloudflare Blog · May 12, 2026
- Copy.Fail Linux VulnerabilitySchneier on Security · May 12, 2026
- Apple Patches Everything, (Mon, May 11th)SANS Internet Storm Center · May 11, 2026
- Linux developers weigh emergency “killswitch” for vulnerable kernel functionsHelp Net Security · May 11, 2026
- 11th May – Threat Intelligence ReportCheck Point Research · May 11, 2026
- Dirty Frag: Linux kernel hit by second major security flaw in two weeksThe Record · May 11, 2026
- Dirty Frag (CVE-2026-43284, CVE-2026-43500): Frequently asked questions about this Linux kernel privilege escalation vulnerability chainTenable Blog · May 8, 2026
- Another Universal Linux Local Privilege Escalation (LPE) Vulnerability: Dirty Frag, (Fri, May 8th)SANS Internet Storm Center · May 8, 2026
- Dirty Frag: Unpatched Linux vulnerability delivers root accessHelp Net Security · May 8, 2026
- 'Dirty Frag' Linux flaw one-ups CopyFail with no patches and public root exploitThe Register Security · May 8, 2026
- Linux Kernel Dirty Frag LPE Exploit Enables Root Access Across Major DistributionsThe Hacker News · May 8, 2026
- Unplug your way to better codeCisco Talos Intelligence · May 7, 2026
- How Cloudflare responded to the “Copy Fail” Linux vulnerabilityCloudflare Blog · May 7, 2026
- Attackers are cashing in on fresh 'CopyFail' Linux flawThe Register Security · May 5, 2026
- Attackers are cashing in on fresh 'CopyFail' Linux flawThe Register Security · May 5, 2026
- UAT-8302 and its box full of malwareCisco Talos Intelligence · May 5, 2026
- TeamPCP Weekly Analysis: 2026-W18 (2026-04-27 through 2026-05-03), (Mon, May 4th)SANS Internet Storm Center · May 4, 2026
- Week in review: High-severity LPE vulnerability in the Linux kernel, cPanel 0-day exploited for monthsHelp Net Security · May 3, 2026
- Metasploit Wrap-Up 05/01/2026Rapid7 Blog · May 1, 2026
- Copy Fail (CVE-2026-31431): Frequently asked questions about Linux kernel privilege escalation vulnerabilityTenable Blog · Apr 30, 2026
- Nine-year-old Linux kernel flaw enables reliable local privilege escalation (CVE-2026-31431)Help Net Security · Apr 30, 2026
- Linux cryptographic code flaw offers fast route to rootThe Register Security · Apr 30, 2026
- VECT: Ransomware by design, Wiper by accidentCheck Point Research · Apr 28, 2026
- The Good, the Bad and the Ugly in Cybersecurity – Week 17SentinelOne Labs · Apr 24, 2026
- UAT-4356's Targeting of Cisco Firepower DevicesCisco Talos Intelligence · Apr 23, 2026
- Orchestrating AI Code Review at scaleCloudflare Blog · Apr 20, 2026
- Unweight: how we compressed an LLM 22% without sacrificing qualityCloudflare Blog · Apr 17, 2026
- Patch Tuesday - April 2026Rapid7 Blog · Apr 14, 2026
- Microsoft Patch Tuesday for April 2026 - Snort Rule and Prominent VulnerabilitiesCisco Talos Intelligence · Apr 14, 2026
- Risky Business #831 -- The AI bugpocalypse beginsRisky Business · Apr 1, 2026
- Microsoft Patch Tuesday, March 2026 EditionKrebs on Security · Mar 11, 2026
- CISA Adds One Known Exploited Vulnerability to CatalogCISA Alerts
- Siemens SCALANCECISA Alerts
- Siemens SIMATICCISA Alerts
- Fuji Electric TellusCISA Alerts