Lu Wei

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.0.0-rc4+ **Description** The vulnerability is related to out-of-bound bugs caused by an unset `skb->mac header` in the ipvlan component of the Linux kernel. This issue can be triggered when an AF PACKET socket is used to send packets through ipvlan and the default xmit function of the AF PACKET socket is changed from `dev queue xmit()` to `packet direct xmit()` via `setsockopt()` with the option name of `PACKET QDISC BYPASS`. The root cause of this issue is that `packet snd()` only resets `skb->mac header` when the socket type is `SOCK RAW` and the protocol is not specified, and `packet direct xmit()` does not reset `skb->mac header` as `dev queue xmit()` does. This can lead to out-of-bound access when `ipvlan xmit mode l2()` is called. **Recommendations** To resolve this issue, update the Linux kernel to a version that includes the patch for this vulnerability. Specifically, the patch replaces `eth hdr()` with `skb eth hdr()` in `ipvlan xmit mode l2()` and resets the mac header in multicast to solve the out-of-bound bug. At the moment, there is no information about a newer version that contains a fix for this vulnerability.