CVE-2026-43080

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> l2tp: Drop large packets with UDP encap<br /> <br /> syzbot reported a WARN on my patch series [1]. The actual issue is an<br /> overflow of 16-bit UDP length field, and it exists in the upstream code.<br /> My series added a debug WARN with an overflow check that exposed the<br /> issue, that&amp;#39;s why syzbot tripped on my patches, rather than on upstream<br /> code.<br /> <br /> syzbot&amp;#39;s repro:<br /> <br /> r0 = socket$pppl2tp(0x18, 0x1, 0x1)<br /> r1 = socket$inet6_udp(0xa, 0x2, 0x0)<br /> connect$inet6(r1, &amp;(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback, 0xfffffffc}, 0x1c)<br /> connect$pppl2tp(r0, &amp;(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={&amp;#39;\x00&amp;#39;, &amp;#39;\xff\xff&amp;#39;, @empty}}}}, 0x32)<br /> writev(r0, &amp;(0x7f0000000080)=[{&amp;(0x7f0000000000)="ee", 0x34000}], 0x1)<br /> <br /> It basically sends an oversized (0x34000 bytes) PPPoL2TP packet with UDP<br /> encapsulation, and l2tp_xmit_core doesn&amp;#39;t check for overflows when it<br /> assigns the UDP length field. The value gets trimmed to 16 bites.<br /> <br /> Add an overflow check that drops oversized packets and avoids sending<br /> packets with trimmed UDP length to the wire.<br /> <br /> syzbot&amp;#39;s stack trace (with my patch applied):<br /> <br /> len &gt;= 65536u<br /> WARNING: ./include/linux/udp.h:38 at udp_set_len_short include/linux/udp.h:38 [inline], CPU#1: syz.0.17/5957<br /> WARNING: ./include/linux/udp.h:38 at l2tp_xmit_core net/l2tp/l2tp_core.c:1293 [inline], CPU#1: syz.0.17/5957<br /> WARNING: ./include/linux/udp.h:38 at l2tp_xmit_skb+0x1204/0x18d0 net/l2tp/l2tp_core.c:1327, CPU#1: syz.0.17/5957<br /> Modules linked in:<br /> CPU: 1 UID: 0 PID: 5957 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014<br /> RIP: 0010:udp_set_len_short include/linux/udp.h:38 [inline]<br /> RIP: 0010:l2tp_xmit_core net/l2tp/l2tp_core.c:1293 [inline]<br /> RIP: 0010:l2tp_xmit_skb+0x1204/0x18d0 net/l2tp/l2tp_core.c:1327<br /> Code: 0f 0b 90 e9 21 f9 ff ff e8 e9 05 ec f6 90 0f 0b 90 e9 8d f9 ff ff e8 db 05 ec f6 90 0f 0b 90 e9 cc f9 ff ff e8 cd 05 ec f6 90 0b 90 e9 de fa ff ff 44 89 f1 80 e1 07 80 c1 03 38 c1 0f 8c 4f<br /> RSP: 0018:ffffc90003d67878 EFLAGS: 00010293<br /> RAX: ffffffff8ad985e3 RBX: ffff8881a6400090 RCX: ffff8881697f0000<br /> RDX: 0000000000000000 RSI: 0000000000034010 RDI: 000000000000ffff<br /> RBP: dffffc0000000000 R08: 0000000000000003 R09: 0000000000000004<br /> R10: dffffc0000000000 R11: fffff520007acf00 R12: ffff8881baf20900<br /> R13: 0000000000034010 R14: ffff8881a640008e R15: ffff8881760f7000<br /> FS: 000055557e81f500(0000) GS:ffff8882a9467000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000200000033000 CR3: 00000001612f4000 CR4: 00000000000006f0<br /> Call Trace:<br /> <br /> pppol2tp_sendmsg+0x40a/0x5f0 net/l2tp/l2tp_ppp.c:302<br /> sock_sendmsg_nosec net/socket.c:727 [inline]<br /> __sock_sendmsg net/socket.c:742 [inline]<br /> sock_write_iter+0x503/0x550 net/socket.c:1195<br /> do_iter_readv_writev+0x619/0x8c0 fs/read_write.c:-1<br /> vfs_writev+0x33c/0x990 fs/read_write.c:1059<br /> do_writev+0x154/0x2e0 fs/read_write.c:1105<br /> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br /> do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> RIP: 0033:0x7f636479c629<br /> Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48<br /> RSP: 002b:00007ffffd4241c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014<br /> RAX: ffffffffffffffda RBX: 00007f6364a15fa0 RCX: 00007f636479c629<br /> RDX: 0000000000000001 RSI: 0000200000000080 RDI: 0000000000000003<br /> RBP: 00007f6364832b39 R08: 0000000000000000 R09: 0000000000000000<br /> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000<br /> R13: 00007f6364a15fac R14: 00007f6364a15fa0 R15: 00007f6364a15fa0<br /> <br /> <br /> [1]: https://lore.kernel.org/all/20260226201600.222044-1-alice.kernel@fastmail.im/