VYPR
← All advisories
Unrated severityNVD Advisory· Published May 21, 2026

CVE-2026-43501

CVE-2026-43501

Description

In the Linux kernel, the following vulnerability has been resolved:

ipv6: rpl: reserve mac_len headroom when recompressed SRH grows

ipv6_rpl_srh_rcv() decompresses an RFC 6554 Source Routing Header, swaps the next segment into ipv6_hdr->daddr, recompresses, then pulls the old header and pushes the new one plus the IPv6 header back. The recompressed header can be larger than the received one when the swap reduces the common-prefix length the segments share with daddr (CmprI=0, CmprE>0, seg[0][0] != daddr[0] gives the maximum +8 bytes).

pskb_expand_head() was gated on segments_left == 0, so on earlier segments the push consumed unchecked headroom. Once skb_push() leaves fewer than skb->mac_len bytes in front of data, skb_mac_header_rebuild()'s call to:

skb_set_mac_header(skb, -skb->mac_len);

will store (data - head) - mac_len into the u16 mac_header field, which wraps to ~65530, and the following memmove() writes mac_len bytes ~64KiB past skb->head.

A single AF_INET6/SOCK_RAW/IPV6_HDRINCL packet over lo with a two segment type-3 SRH (CmprI=0, CmprE=15) reaches headroom 8 after one pass; KASAN reports a 14-byte OOB write in ipv6_rthdr_rcv.

Fix this by expanding the head whenever the remaining room is less than the push size plus mac_len, and request that much extra so the rebuilt MAC header fits afterwards.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel, ipv6_rpl_srh_rcv() fails to check headroom when recompressing an RFC 6554 SRH, leading to an OOB write and potential system compromise.

Vulnerability

The vulnerability resides in the ipv6_rpl_srh_rcv() function in the Linux kernel's IPv6 RPL (Routing Protocol for Low-Power and Lossy Networks) source routing implementation. When processing an RFC 6554 Source Routing Header (SRH), the function decompresses the header, swaps the next segment into ipv6_hdr->daddr, recompresses it, then pulls the old header and pushes the new one plus the IPv6 header. The recompressed header can grow larger than the original when the common-prefix length (CmprI=0, CmprE>0) is such that the swapped segment does not share the first byte with daddr, adding up to 8 bytes. The function only calls pskb_expand_head() when segments_left == 0, so on earlier segments, the push may consume insufficient headroom, leading to an out-of-bounds write when skb_mac_header_rebuild() tries to set the MAC header. This affects Linux kernel versions prior to the patch, across stable trees [1][2][3][4].

Exploitation

An attacker must be able to send a crafted IPv6 packet with a specific SRH to the target system. The triggering packet requires a two-segment type-3 SRH with CmprI=0 and CmprE=15, and is sent over the loopback interface (lo) using an AF_INET6/SOCK_RAW socket with IPV6_HDRINCL set. After one pass, headroom is reduced to 8 bytes, causing the subsequent skb_push() to fail and leading to a memory corruption. No authentication or special privileges are needed beyond the ability to inject raw IPv6 packets.

Impact

A successful exploitation results in a 14-byte out-of-bounds write in kernel memory, as reported by KASAN, specifically in ipv6_rthdr_rcv. This memory corruption can cause a kernel crash (denial of service) and may potentially be leveraged by an attacker to achieve arbitrary code execution or privilege escalation, depending on system configuration and memory layout.

Mitigation

Patches have been committed to the Linux kernel stable trees as referenced in [1][2][3][4]. The fix modifies ipv6_rpl_srh_rcv() to expand the headroom whenever the remaining space is less than the push size plus mac_len, ensuring enough room for the rebuilt MAC header. Users should apply the corresponding patch or update to a kernel version containing the fix (e.g., versions including commits 7398ebefbfd4, 4babc2d9fda2, 8e8be63465a5, or c261d07a8057). No workaround is documented; the only mitigation is to install the patched kernel.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!
  4. Making sure you're not a bot!

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

10
8e8be63465a5
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitFixed in 6.6.140via kernel-cna
commit
7398ebefbfd4
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitFixed in 7.0.4via kernel-cna
commit
c261d07a8057
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitFixed in 6.18.27via kernel-cna
commit
9e6bf146b559
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitFixed in 7.1-rc2via kernel-cna
commit
4babc2d9fda2
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitFixed in 6.12.86via kernel-cna
commit
9e6bf146b559
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitvia nvd-ref
commit
c261d07a8057
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitvia nvd-ref
commit
8e8be63465a5
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitvia nvd-ref
commit
4babc2d9fda2
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitvia nvd-ref
commit
7398ebefbfd4
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitvia nvd-ref
commit

Vulnerability mechanics

Synthesis attempt was rejected by the grounding validator. Re-run pending.

References

5

News mentions

0

No linked articles in our index yet.