CVE-2026-43083
Description
In the Linux kernel, the following vulnerability has been resolved:
net: ioam6: fix OOB and missing lock
When trace->type.bit6 is set:
if (trace->type.bit6) { ... queue = skb_get_tx_queue(dev, skb); qdisc = rcu_dereference(queue->qdisc);
This code can lead to an out-of-bounds access of the dev->_tx[] array when is_input is true. In such a case, the packet is on the RX path and skb->queue_mapping contains the RX queue index of the ingress device. If the ingress device has more RX queues than the egress device (dev) has TX queues, skb_get_queue_mapping(skb) will exceed dev->num_tx_queues. Add a check to avoid this situation since skb_get_tx_queue() does not clamp the index. This issue has also revealed that per queue visibility cannot be accurate and will be replaced later as a new feature.
While at it, add missing lock around qdisc_qstats_qlen_backlog(). The function __ioam6_fill_trace_data() is called from both softirq and process contexts, hence the use of spin_lock_bh() here.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An out-of-bounds access vulnerability in Linux kernel's ioam6 module allows RX path buffer overflow; also missing lock leads to data race.
Vulnerability
Description
The vulnerability resides in the __ioam6_fill_trace_data() function in the Linux kernel's ioam6 (IPv6 Operations, Administration, and Maintenance) module. When trace->type.bit6 is set, the code calls skb_get_tx_queue(dev, skb) to retrieve the transmit queue. However, on the RX path, skb->queue_mapping contains the RX queue index of the ingress device. If the ingress device has more RX queues than the egress device has TX queues, skb_get_queue_mapping() returns an index exceeding dev->num_tx_queues, leading to an out-of-bounds (OOB) access of the dev->_tx[] array. Additionally, the function lacks proper locking around qdisc_qstats_qlen_backlog(), which is called from both softirq and process contexts without protection.
Attack
Surface and Exploitation
An attacker can exploit this by sending a specially crafted IPv6 packet with ioam6 options that cause trace->type.bit6 to be set while the packet is being processed on the RX path. The vulnerability is triggerable from an unprivileged network position, as no special authentication is required to send such packets. The bug can be triggered in both softirq (RX) and process contexts, making it accessible to remote attackers.
Impact
Successful exploitation of the OOB access can result in memory corruption, potentially leading to system crashes (denial of service) or, in worst-case scenarios, privilege escalation. The missing locking vulnerability could cause data corruption due to concurrent access to shared data structures, further destabilizing the system.
Mitigation
The Linux kernel community has released patches that fix the vulnerability by adding a check to prevent the OOB access and by properly acquiring a spin lock (spin_lock_bh()) before calling qdisc_qstats_qlen_backlog(). These patches have been backported to stable kernel branches, as referenced in commits [1], [2], and [3]. Users are advised to update their kernels to the latest stable versions containing these fixes. No workarounds are known.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
1- Patch Tuesday - May 2026Rapid7 Blog · May 13, 2026