CVE-2026-43038

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description An issue exists in the Linux kernel where the ip6 err gen icmpv6 unreach() function fails to clear the skb2->cb[] array. When an outer IPv4 ICMP error packet is cloned into skb2 and passed to icmp6 send(), the system interprets IPv4 inet skb parm as inet6 skb parm. Specifically, the CIPSO offset in inet skb parm.opt overlaps with dsthao in inet6 skb parm at offset 18. An attacker can send a forged ICMPv4 error with a CIPSO IP option to set a non-zero dsthao offset. This causes mip6 addr swap() to use ipv6 find tlv() to scan the inner attacker-controlled IPv6 packet, potentially returning a fake TLV without verifying if the remaining packet length can accommodate the 18-byte struct ipv6 destopt hao. This may lead to a 16-byte swap that extends beyond the packet data into skb shared info.

Recommendations Apply the patch that clears the cb array in the ip6 err gen icmpv6 unreach() function.