CVE-2026-43501
Gravedad CVSS v3.1:
CRÍTICA
Tipo:
CWE-787
Escritura fuera de límites
Fecha de publicación:
21/05/2026
Última modificación:
15/07/2026
Descripción
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
ipv6: rpl: reserve mac_len headroom when recompressed SRH grows<br />
<br />
ipv6_rpl_srh_rcv() decompresses an RFC 6554 Source Routing Header, swaps<br />
the next segment into ipv6_hdr->daddr, recompresses, then pulls the old<br />
header and pushes the new one plus the IPv6 header back. The<br />
recompressed header can be larger than the received one when the swap<br />
reduces the common-prefix length the segments share with daddr (CmprI=0,<br />
CmprE>0, seg[0][0] != daddr[0] gives the maximum +8 bytes).<br />
<br />
pskb_expand_head() was gated on segments_left == 0, so on earlier<br />
segments the push consumed unchecked headroom. Once skb_push() leaves<br />
fewer than skb->mac_len bytes in front of data,<br />
skb_mac_header_rebuild()&#39;s call to:<br />
<br />
skb_set_mac_header(skb, -skb->mac_len);<br />
<br />
will store (data - head) - mac_len into the u16 mac_header field, which<br />
wraps to ~65530, and the following memmove() writes mac_len bytes ~64KiB<br />
past skb->head.<br />
<br />
A single AF_INET6/SOCK_RAW/IPV6_HDRINCL packet over lo with a two<br />
segment type-3 SRH (CmprI=0, CmprE=15) reaches headroom 8 after one<br />
pass; KASAN reports a 14-byte OOB write in ipv6_rthdr_rcv.<br />
<br />
Fix this by expanding the head whenever the remaining room is less than<br />
the push size plus mac_len, and request that much extra so the rebuilt<br />
MAC header fits afterwards.
Impacto
Puntuación base 3.x
9.80
Gravedad 3.x
CRÍTICA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.7 (incluyendo) | 5.10.258 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (incluyendo) | 5.15.209 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (incluyendo) | 6.1.175 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (incluyendo) | 6.6.140 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (incluyendo) | 6.12.86 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (incluyendo) | 6.18.27 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.19 (incluyendo) | 7.0.4 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:* |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página
Referencias a soluciones, herramientas e información
- https://git.kernel.org/stable/c/0a9e8053f1f8a8e1bfc1dd61ffe67be6c1180402
- https://git.kernel.org/stable/c/4babc2d9fda2df43823b85d08a0180b68f1b0854
- https://git.kernel.org/stable/c/7398ebefbfd4f8a31d4f665a4213302fa995494b
- https://git.kernel.org/stable/c/8e8be63465a5e80394c70324603dfea1bfdad48f
- https://git.kernel.org/stable/c/9e6bf146b55999a095bb14f73a843942456d1adc
- https://git.kernel.org/stable/c/bde199c72d319a4e207f88daabc888317504e2fb
- https://git.kernel.org/stable/c/be1fa0aa9b4fdd5a8b7a61ba520a690a68391e6e
- https://git.kernel.org/stable/c/c261d07a80576dc8ccf394ef8f074f8c67a06b37
- https://access.redhat.com/errata/RHSA-2026:25191
- https://access.redhat.com/errata/RHSA-2026:25217
- https://access.redhat.com/errata/RHSA-2026:27713
- https://access.redhat.com/errata/RHSA-2026:27731
- https://access.redhat.com/errata/RHSA-2026:33900
- https://access.redhat.com/errata/RHSA-2026:34094
- https://access.redhat.com/errata/RHSA-2026:34095
- https://access.redhat.com/security/cve/CVE-2026-43501
- https://bugzilla.redhat.com/show_bug.cgi?id=2480457
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-43501.json



