CVE-2026-43037

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ip6_tunnel: clear skb2-&gt;cb[] in ip4ip6_err()<br /> <br /> Oskar Kjos reported the following problem.<br /> <br /> ip4ip6_err() calls icmp_send() on a cloned skb whose cb[] was written<br /> by the IPv6 receive path as struct inet6_skb_parm. icmp_send() passes<br /> IPCB(skb2) to __ip_options_echo(), which interprets that cb[] region<br /> as struct inet_skb_parm (IPv4). The layouts differ: inet6_skb_parm.nhoff<br /> at offset 14 overlaps inet_skb_parm.opt.rr, producing a non-zero rr<br /> value. __ip_options_echo() then reads optlen from attacker-controlled<br /> packet data at sptr[rr+1] and copies that many bytes into dopt-&gt;__data,<br /> a fixed 40-byte stack buffer (IP_OPTIONS_DATA_FIXED_SIZE).<br /> <br /> To fix this we clear skb2-&gt;cb[], as suggested by Oskar Kjos.<br /> <br /> Also add minimal IPv4 header validation (version == 4, ihl &gt;= 5).