CVE-2026-43038

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ipv6: icmp: clear skb2-&gt;cb[] in ip6_err_gen_icmpv6_unreach()<br /> <br /> Sashiko AI-review observed:<br /> <br /> In ip6_err_gen_icmpv6_unreach(), the skb is an outer IPv4 ICMP error packet<br /> where its cb contains an IPv4 inet_skb_parm. When skb is cloned into skb2<br /> and passed to icmp6_send(), it uses IP6CB(skb2).<br /> <br /> IP6CB interprets the IPv4 inet_skb_parm as an inet6_skb_parm. The cipso<br /> offset in inet_skb_parm.opt directly overlaps with dsthao in inet6_skb_parm<br /> at offset 18.<br /> <br /> If an attacker sends a forged ICMPv4 error with a CIPSO IP option, dsthao<br /> would be a non-zero offset. Inside icmp6_send(), mip6_addr_swap() is called<br /> and uses ipv6_find_tlv(skb, opt-&gt;dsthao, IPV6_TLV_HAO).<br /> <br /> This would scan the inner, attacker-controlled IPv6 packet starting at that<br /> offset, potentially returning a fake TLV without checking if the remaining<br /> packet length can hold the full 18-byte struct ipv6_destopt_hao.<br /> <br /> Could mip6_addr_swap() then perform a 16-byte swap that extends past the end<br /> of the packet data into skb_shared_info?<br /> <br /> Should the cb array also be cleared in ip6_err_gen_icmpv6_unreach() and<br /> ip6ip6_err() to prevent this?<br /> <br /> This patch implements the first suggestion.<br /> <br /> I am not sure if ip6ip6_err() needs to be changed.<br /> A separate patch would be better anyway.