CVE-2026-53228

In the Linux kernel, the following vulnerability has been resolved:

ipv6: sit: reload inner IPv6 header after GSO offloads

ipip6 tunnel xmit() caches the inner IPv6 header pointer at function entry and continues using it after iptunnel handle offloads().

For GSO skbs, iptunnel handle offloads() calls skb header unclone(). When the skb header is cloned, skb header unclone() can call pskb expand head(), which may move the skb head. The pskb expand head() contract requires pointers into the skb header to be reloaded after the call.

If the later skb realloc headroom() branch is not taken, SIT uses the stale iph6 pointer to read the inner hop limit and DS field. That can read from a freed skb head after the old head's remaining clone is released.

Reload iph6 after the offload helper succeeds and before subsequent reads from the inner IPv6 header. Keep the existing reload after skb realloc headroom(), since that branch can also replace the skb.