Linux · Linux Kernel · CVE-2026-43038
**Name of the Vulnerable Software and Affected Versions**
Linux kernel (affected versions not specified)
**Description**
An issue exists in the Linux kernel where the `ip6 err gen icmpv6 unreach()` function fails to clear the `skb2->cb[]` array. When an outer IPv4 ICMP error packet is cloned into `skb2` and passed to `icmp6 send()`, the system interprets IPv4 `inet skb parm` as `inet6 skb parm`. Specifically, the CIPSO offset in `inet skb parm.opt` overlaps with `dsthao` in `inet6 skb parm` at offset 18. An attacker can send a forged ICMPv4 error with a CIPSO IP option to set a non-zero `dsthao` offset. This causes `mip6 addr swap()` to use `ipv6 find tlv()` to scan the inner attacker-controlled IPv6 packet, potentially returning a fake TLV without verifying if the remaining packet length can accommodate the 18-byte `struct ipv6 destopt hao`. This may lead to a 16-byte swap that extends beyond the packet data into `skb shared info`.
**Recommendations**
Apply the patch that clears the `cb` array in the `ip6 err gen icmpv6 unreach()` function.