CVE-2026-43037

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A flaw exists in the ip4ip6 err() function where it calls icmp send() using a cloned socket buffer (skb) containing cb[] data written as struct inet6 skb parm. The icmp send() function passes IPCB(skb2) to ip options echo(), which incorrectly interprets the cb[] region as struct inet skb parm (IPv4). Because the layouts differ, inet6 skb parm.nhoff overlaps with inet skb parm.opt.rr, resulting in a non-zero rr value. This allows ip options echo() to read an optlen value from attacker-controlled packet data and copy an arbitrary amount of bytes into dopt-> data, which is a fixed 40-byte stack buffer.

Recommendations Clear the skb2->cb[] in the ip4ip6 err() function. Implement minimal IPv4 header validation to ensure the version is 4 and the internet header length (ihl) is at least 5.