PT-2026-52358 · Linux · Linux
Published
2026-06-25
·
Updated
2026-06-25
·
CVE-2026-53263
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
In the Linux kernel, the following vulnerability has been resolved:
6lowpan: fix off-by-one in multicast context address compression
The second memcpy in lowpan iphc mcast ctx addr compress() uses
&data[1] as destination and &ipaddr->s6 addr[11] as source, but
both should be offset by one: &data[2] and &ipaddr->s6 addr[12]
respectively.
This off-by-one has two consequences:
- data[1] is overwritten with s6 addr[11], corrupting the RIID field in the compressed multicast address
- data[5] is never written, so uninitialized kernel stack memory is transmitted over the network via lowpan push hc data(), leaking kernel stack contents
The correct inline data layout must match what the decompression
function lowpan uncompress multicast ctx daddr() expects:
data[0..1] = s6 addr[1..2] (flags/scope + RIID)
data[2..5] = s6 addr[12..15] (group ID)
Also zero-initialize the data array as a defensive measure against
similar bugs in the future.
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Linux