CVE-2026-43341
Description
In the Linux kernel, the following vulnerability has been resolved:
net/ipv6: ioam6: prevent schema length wraparound in trace fill
ioam6_fill_trace_data() stores the schema contribution to the trace length in a u8. With bit 22 enabled and the largest schema payload, sclen becomes 1 + 1020 / 4, wraps from 256 to 0, and bypasses the remaining-space check. __ioam6_fill_trace_data() then positions the write cursor without reserving the schema area but still copies the 4-byte schema header and the full schema payload, overrunning the trace buffer.
Keep sclen in an unsigned int so the remaining-space check and the write cursor calculation both see the full schema length.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A Linux kernel ioam6 flaw lets a crafted IPv6 packet with a large schema payload wrap a u8 length counter, bypassing buffer checks and out-of-bounds write.
Vulnerability
A critical vulnerability has been discovered in the Linux kernel's IPv6 IOAM (In-situ Operations, Administration, and Maintenance) implementation. The ioam6_fill_trace_data() function stores the schema contribution to the trace length in a u8 variable (sclen). When bit 22 of the IOAM option header is enabled and the largest schema payload is provided, sclen becomes 1 + 1020 / 4 = 256, which wraps to 0 due to the 8-bit overflow. This causes the subsequent remaining-space check to be bypassed, as the wrap leads the check to believe there is still room in the trace buffer [1].
Exploitation
Exploitation
An attacker can exploit this bug a specially crafted IPv6 packet that triggers the IOAM trace mechanism. The attack requires no authentication and can be performed remotely (network proximity is needed). The key prerequisite is enabling bit 22 in the IOAM option header and providing the maximum schema payload, which causes the integer overflow in the sclen field. This overflows the length counter, bypassing the bounds check in __ioam6_fill_trace_data(). The write cursor is then positioned without reserving space, yet the schema header and full payload are still copied, leading to an out-of-bounds write [1].
Impact
A successful exploit can corrupt kernel memory corruption. The out-of-bounds write can potentially lead to arbitrary code execution, denial of service, or information disclosure. Given the CVSS score of 9.8 (Critical) and the ability to trigger remotely, this vulnerability represents a severe threat to systems with the affected kernel in
Mitigation
The issue has been fixed in the Linux kernel stable tree. The patch changes the sclen variable type from u8 to unsigned int to unsigned int` to prevent the integer wraparound [1]. Users are urged to update their kernel to a version containing the fix. No workaround has been publicly identified for a [](source.)
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- git.kernel.org/stable/c/184d2e9db27c0f76226b5cad16fe29510a5d2280nvdPatch
- git.kernel.org/stable/c/5e67ba9bb531e1ec6599a82a065dea9040b9ce50nvdPatch
- git.kernel.org/stable/c/77695a69baca9b99d95fad09fc78c2318736604fnvdPatch
- git.kernel.org/stable/c/d1b041080086e91d3733a5438a8c51ad5d3d8e09nvdPatch
- git.kernel.org/stable/c/d6e1c9b02d85a4f1f4ba6d68e916d9b610a3ed7dnvdPatch
- git.kernel.org/stable/c/e96d48b37708d53cbdc47f6f60b0714fc4a5f596nvdPatch
News mentions
0No linked articles in our index yet.