CVE-2026-43057
Description
In the Linux kernel, the following vulnerability has been resolved:
net: correctly handle tunneled traffic on IPV6_CSUM GSO fallback
NETIF_F_IPV6_CSUM only advertises support for checksum offload of packets without IPv6 extension headers. Packets with extension headers must fall back onto software checksumming. Since TSO depends on checksum offload, those must revert to GSO.
The below commit introduces that fallback. It always checks network header length. For tunneled packets, the inner header length must be checked instead. Extend the check accordingly.
A special case is tunneled packets without inner IP protocol. Such as RFC 6951 SCTP in UDP. Those are not standard IPv6 followed by transport header either, so also must revert to the software GSO path.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel, a flaw in IPv6 checksum offload fallback for tunneled packets can cause incorrect GSO handling, potentially leading to network issues.
Vulnerability
Description
CVE-2026-43057 is a vulnerability in the Linux kernel's networking stack, specifically in the handling of IPv6 checksum offload (NETIF_F_IPV6_CSUM) during GSO (Generic Segmentation Offload) fallback. The kernel incorrectly checks the network header length instead of the inner header length for tunneled packets when deciding whether to fall back to software checksumming. This occurs because NETIF_F_IPV6_CSUM only supports checksum offload for packets without IPv6 extension headers; packets with extension headers must fall back to software checksumming, and TSO (TCP Segmentation Offload) must revert to GSO. The fallback logic introduced by a prior commit failed to account for tunnel encapsulation, leading to improper handling.
Exploitation
Conditions
An attacker can exploit this vulnerability by sending crafted tunneled IPv6 packets that include extension headers or non-standard inner protocols, such as SCTP encapsulated in UDP (as per RFC 6951). These packets trigger the flawed fallback path because the kernel checks the outer network header length rather than the inner header. No authentication is required; the attacker only needs the ability to send network traffic to a vulnerable system. The attack surface is network-facing, and the vulnerability can be triggered remotely.
Impact
Successful exploitation could lead to incorrect GSO segmentation, potentially causing packet corruption, data loss, or denial of service. The vulnerability is rated High with a CVSS v3 score of 7.5, indicating significant potential for disruption. There is no evidence of privilege escalation or remote code execution; the impact is limited to network-level integrity and availability.
Mitigation
The vulnerability has been patched in the Linux kernel stable tree. The fix extends the fallback check to use the inner header length for tunneled packets, and also handles special cases like SCTP-in-UDP. Patched versions are available via the stable kernel commits referenced below [1][2][3][4]. Users should update their kernels to the latest stable release to mitigate the issue.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
13(expand)+ 12 more
- (no CPE)
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=6.1.149,<6.1.168
- cpe:2.3:o:linux:linux_kernel:6.17:-:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.17:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.17:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.17:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.17:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.17:rc7:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
News mentions
0No linked articles in our index yet.