CVE-2026-31415 (GCVE-0-2026-31415)

Vulnerability from cvelistv5 – Published: 2026-04-13 13:21 – Updated: 2026-05-11 22:08
VLAI?
Title
ipv6: avoid overflows in ip6_datagram_send_ctl()
Summary
In the Linux kernel, the following vulnerability has been resolved: ipv6: avoid overflows in ip6_datagram_send_ctl() Yiming Qian reported : <quote> I believe I found a locally triggerable kernel bug in the IPv6 sendmsg ancillary-data path that can panic the kernel via `skb_under_panic()` (local DoS). The core issue is a mismatch between: - a 16-bit length accumulator (`struct ipv6_txoptions::opt_flen`, type `__u16`) and - a pointer to the *last* provided destination-options header (`opt->dst1opt`) when multiple `IPV6_DSTOPTS` control messages (cmsgs) are provided. - `include/net/ipv6.h`: - `struct ipv6_txoptions::opt_flen` is `__u16` (wrap possible). (lines 291-307, especially 298) - `net/ipv6/datagram.c:ip6_datagram_send_ctl()`: - Accepts repeated `IPV6_DSTOPTS` and accumulates into `opt_flen` without rejecting duplicates. (lines 909-933) - `net/ipv6/ip6_output.c:__ip6_append_data()`: - Uses `opt->opt_flen + opt->opt_nflen` to compute header sizes/headroom decisions. (lines 1448-1466, especially 1463-1465) - `net/ipv6/ip6_output.c:__ip6_make_skb()`: - Calls `ipv6_push_frag_opts()` if `opt->opt_flen` is non-zero. (lines 1930-1934) - `net/ipv6/exthdrs.c:ipv6_push_frag_opts()` / `ipv6_push_exthdr()`: - Push size comes from `ipv6_optlen(opt->dst1opt)` (based on the pointed-to header). (lines 1179-1185 and 1206-1211) 1. `opt_flen` is a 16-bit accumulator: - `include/net/ipv6.h:298` defines `__u16 opt_flen; /* after fragment hdr */`. 2. `ip6_datagram_send_ctl()` accepts *repeated* `IPV6_DSTOPTS` cmsgs and increments `opt_flen` each time: - In `net/ipv6/datagram.c:909-933`, for `IPV6_DSTOPTS`: - It computes `len = ((hdr->hdrlen + 1) << 3);` - It checks `CAP_NET_RAW` using `ns_capable(net->user_ns, CAP_NET_RAW)`. (line 922) - Then it does: - `opt->opt_flen += len;` (line 927) - `opt->dst1opt = hdr;` (line 928) There is no duplicate rejection here (unlike the legacy `IPV6_2292DSTOPTS` path which rejects duplicates at `net/ipv6/datagram.c:901-904`). If enough large `IPV6_DSTOPTS` cmsgs are provided, `opt_flen` wraps while `dst1opt` still points to a large (2048-byte) destination-options header. In the attached PoC (`poc.c`): - 32 cmsgs with `hdrlen=255` => `len = (255+1)*8 = 2048` - 1 cmsg with `hdrlen=0` => `len = 8` - Total increment: `32*2048 + 8 = 65544`, so `(__u16)opt_flen == 8` - The last cmsg is 2048 bytes, so `dst1opt` points to a 2048-byte header. 3. The transmit path sizes headers using the wrapped `opt_flen`: - In `net/ipv6/ip6_output.c:1463-1465`: - `headersize = sizeof(struct ipv6hdr) + (opt ? opt->opt_flen + opt->opt_nflen : 0) + ...;` With wrapped `opt_flen`, `headersize`/headroom decisions underestimate what will be pushed later. 4. When building the final skb, the actual push length comes from `dst1opt` and is not limited by wrapped `opt_flen`: - In `net/ipv6/ip6_output.c:1930-1934`: - `if (opt->opt_flen) proto = ipv6_push_frag_opts(skb, opt, proto);` - In `net/ipv6/exthdrs.c:1206-1211`, `ipv6_push_frag_opts()` pushes `dst1opt` via `ipv6_push_exthdr()`. - In `net/ipv6/exthdrs.c:1179-1184`, `ipv6_push_exthdr()` does: - `skb_push(skb, ipv6_optlen(opt));` - `memcpy(h, opt, ipv6_optlen(opt));` With insufficient headroom, `skb_push()` underflows and triggers `skb_under_panic()` -> `BUG()`: - `net/core/skbuff.c:2669-2675` (`skb_push()` calls `skb_under_panic()`) - `net/core/skbuff.c:207-214` (`skb_panic()` ends in `BUG()`) - The `IPV6_DSTOPTS` cmsg path requires `CAP_NET_RAW` in the target netns user namespace (`ns_capable(net->user_ns, CAP_NET_RAW)`). - Root (or any task with `CAP_NET_RAW`) can trigger this without user namespaces. - An unprivileged `uid=1000` user can trigger this if unprivileged user namespaces are enabled and it can create a userns+netns to obtain namespaced `CAP_NET_RAW` (the attached PoC does this). - Local denial of service: kernel BUG/panic (system crash). - ---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 333fad5364d6b457c8d837f7d05802d2aaf8a961 , < 2dbfb003bbf3fc0e94f07efefab0ebcf83029a2a (git)
Affected: 333fad5364d6b457c8d837f7d05802d2aaf8a961 , < 4082f9984a694829153115d28c956a3534f52f29 (git)
Affected: 333fad5364d6b457c8d837f7d05802d2aaf8a961 , < 0bdaf54d3aaddfe8df29371260fa8d4939b4fd6f (git)
Affected: 333fad5364d6b457c8d837f7d05802d2aaf8a961 , < 5e4ee5dbea134e9257f205e31a96040bed71e83f (git)
Affected: 333fad5364d6b457c8d837f7d05802d2aaf8a961 , < 63fda74885555e6bd1623b5d811feec998740ba4 (git)
Affected: 333fad5364d6b457c8d837f7d05802d2aaf8a961 , < 9ed81d692758dfb9471d7799b24bfa7a08224c31 (git)
Affected: 333fad5364d6b457c8d837f7d05802d2aaf8a961 , < 872b74900d5daa37067ac676d9001bb929fc6a2a (git)
Affected: 333fad5364d6b457c8d837f7d05802d2aaf8a961 , < 4e453375561fc60820e6b9d8ebeb6b3ee177d42e (git)
Create a notification for this product.
Linux Linux Affected: 2.6.14
Unaffected: 0 , < 2.6.14 (semver)
Unaffected: 5.10.253 , ≤ 5.10.* (semver)
Unaffected: 5.15.203 , ≤ 5.15.* (semver)
Unaffected: 6.1.168 , ≤ 6.1.* (semver)
Unaffected: 6.6.134 , ≤ 6.6.* (semver)
Unaffected: 6.12.81 , ≤ 6.12.* (semver)
Unaffected: 6.18.22 , ≤ 6.18.* (semver)
Unaffected: 6.19.12 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/datagram.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2dbfb003bbf3fc0e94f07efefab0ebcf83029a2a",
              "status": "affected",
              "version": "333fad5364d6b457c8d837f7d05802d2aaf8a961",
              "versionType": "git"
            },
            {
              "lessThan": "4082f9984a694829153115d28c956a3534f52f29",
              "status": "affected",
              "version": "333fad5364d6b457c8d837f7d05802d2aaf8a961",
              "versionType": "git"
            },
            {
              "lessThan": "0bdaf54d3aaddfe8df29371260fa8d4939b4fd6f",
              "status": "affected",
              "version": "333fad5364d6b457c8d837f7d05802d2aaf8a961",
              "versionType": "git"
            },
            {
              "lessThan": "5e4ee5dbea134e9257f205e31a96040bed71e83f",
              "status": "affected",
              "version": "333fad5364d6b457c8d837f7d05802d2aaf8a961",
              "versionType": "git"
            },
            {
              "lessThan": "63fda74885555e6bd1623b5d811feec998740ba4",
              "status": "affected",
              "version": "333fad5364d6b457c8d837f7d05802d2aaf8a961",
              "versionType": "git"
            },
            {
              "lessThan": "9ed81d692758dfb9471d7799b24bfa7a08224c31",
              "status": "affected",
              "version": "333fad5364d6b457c8d837f7d05802d2aaf8a961",
              "versionType": "git"
            },
            {
              "lessThan": "872b74900d5daa37067ac676d9001bb929fc6a2a",
              "status": "affected",
              "version": "333fad5364d6b457c8d837f7d05802d2aaf8a961",
              "versionType": "git"
            },
            {
              "lessThan": "4e453375561fc60820e6b9d8ebeb6b3ee177d42e",
              "status": "affected",
              "version": "333fad5364d6b457c8d837f7d05802d2aaf8a961",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/datagram.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.14"
            },
            {
              "lessThan": "2.6.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.253",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.203",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.168",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.134",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.81",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.22",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.253",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.203",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.168",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.134",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.81",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.22",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.12",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: avoid overflows in ip6_datagram_send_ctl()\n\nYiming Qian reported :\n\u003cquote\u003e\n I believe I found a locally triggerable kernel bug in the IPv6 sendmsg\n ancillary-data path that can panic the kernel via `skb_under_panic()`\n (local DoS).\n\n The core issue is a mismatch between:\n\n - a 16-bit length accumulator (`struct ipv6_txoptions::opt_flen`, type\n `__u16`) and\n - a pointer to the *last* provided destination-options header (`opt-\u003edst1opt`)\n\n when multiple `IPV6_DSTOPTS` control messages (cmsgs) are provided.\n\n - `include/net/ipv6.h`:\n   - `struct ipv6_txoptions::opt_flen` is `__u16` (wrap possible).\n (lines 291-307, especially 298)\n - `net/ipv6/datagram.c:ip6_datagram_send_ctl()`:\n   - Accepts repeated `IPV6_DSTOPTS` and accumulates into `opt_flen`\n without rejecting duplicates. (lines 909-933)\n - `net/ipv6/ip6_output.c:__ip6_append_data()`:\n   - Uses `opt-\u003eopt_flen + opt-\u003eopt_nflen` to compute header\n sizes/headroom decisions. (lines 1448-1466, especially 1463-1465)\n - `net/ipv6/ip6_output.c:__ip6_make_skb()`:\n   - Calls `ipv6_push_frag_opts()` if `opt-\u003eopt_flen` is non-zero.\n (lines 1930-1934)\n - `net/ipv6/exthdrs.c:ipv6_push_frag_opts()` / `ipv6_push_exthdr()`:\n   - Push size comes from `ipv6_optlen(opt-\u003edst1opt)` (based on the\n pointed-to header). (lines 1179-1185 and 1206-1211)\n\n 1. `opt_flen` is a 16-bit accumulator:\n\n - `include/net/ipv6.h:298` defines `__u16 opt_flen; /* after fragment hdr */`.\n\n 2. `ip6_datagram_send_ctl()` accepts *repeated* `IPV6_DSTOPTS` cmsgs\n and increments `opt_flen` each time:\n\n - In `net/ipv6/datagram.c:909-933`, for `IPV6_DSTOPTS`:\n   - It computes `len = ((hdr-\u003ehdrlen + 1) \u003c\u003c 3);`\n   - It checks `CAP_NET_RAW` using `ns_capable(net-\u003euser_ns,\n CAP_NET_RAW)`. (line 922)\n   - Then it does:\n     - `opt-\u003eopt_flen += len;` (line 927)\n     - `opt-\u003edst1opt = hdr;` (line 928)\n\n There is no duplicate rejection here (unlike the legacy\n `IPV6_2292DSTOPTS` path which rejects duplicates at\n `net/ipv6/datagram.c:901-904`).\n\n If enough large `IPV6_DSTOPTS` cmsgs are provided, `opt_flen` wraps\n while `dst1opt` still points to a large (2048-byte)\n destination-options header.\n\n In the attached PoC (`poc.c`):\n\n - 32 cmsgs with `hdrlen=255` =\u003e `len = (255+1)*8 = 2048`\n - 1 cmsg with `hdrlen=0` =\u003e `len = 8`\n - Total increment: `32*2048 + 8 = 65544`, so `(__u16)opt_flen == 8`\n - The last cmsg is 2048 bytes, so `dst1opt` points to a 2048-byte header.\n\n 3. The transmit path sizes headers using the wrapped `opt_flen`:\n\n- In `net/ipv6/ip6_output.c:1463-1465`:\n  - `headersize = sizeof(struct ipv6hdr) + (opt ? opt-\u003eopt_flen +\n opt-\u003eopt_nflen : 0) + ...;`\n\n With wrapped `opt_flen`, `headersize`/headroom decisions underestimate\n what will be pushed later.\n\n 4. When building the final skb, the actual push length comes from\n `dst1opt` and is not limited by wrapped `opt_flen`:\n\n - In `net/ipv6/ip6_output.c:1930-1934`:\n   - `if (opt-\u003eopt_flen) proto = ipv6_push_frag_opts(skb, opt, proto);`\n - In `net/ipv6/exthdrs.c:1206-1211`, `ipv6_push_frag_opts()` pushes\n `dst1opt` via `ipv6_push_exthdr()`.\n - In `net/ipv6/exthdrs.c:1179-1184`, `ipv6_push_exthdr()` does:\n   - `skb_push(skb, ipv6_optlen(opt));`\n   - `memcpy(h, opt, ipv6_optlen(opt));`\n\n With insufficient headroom, `skb_push()` underflows and triggers\n `skb_under_panic()` -\u003e `BUG()`:\n\n - `net/core/skbuff.c:2669-2675` (`skb_push()` calls `skb_under_panic()`)\n - `net/core/skbuff.c:207-214` (`skb_panic()` ends in `BUG()`)\n\n - The `IPV6_DSTOPTS` cmsg path requires `CAP_NET_RAW` in the target\n netns user namespace (`ns_capable(net-\u003euser_ns, CAP_NET_RAW)`).\n - Root (or any task with `CAP_NET_RAW`) can trigger this without user\n namespaces.\n - An unprivileged `uid=1000` user can trigger this if unprivileged\n user namespaces are enabled and it can create a userns+netns to obtain\n namespaced `CAP_NET_RAW` (the attached PoC does this).\n\n - Local denial of service: kernel BUG/panic (system crash).\n -\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T22:08:16.113Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2dbfb003bbf3fc0e94f07efefab0ebcf83029a2a"
        },
        {
          "url": "https://git.kernel.org/stable/c/4082f9984a694829153115d28c956a3534f52f29"
        },
        {
          "url": "https://git.kernel.org/stable/c/0bdaf54d3aaddfe8df29371260fa8d4939b4fd6f"
        },
        {
          "url": "https://git.kernel.org/stable/c/5e4ee5dbea134e9257f205e31a96040bed71e83f"
        },
        {
          "url": "https://git.kernel.org/stable/c/63fda74885555e6bd1623b5d811feec998740ba4"
        },
        {
          "url": "https://git.kernel.org/stable/c/9ed81d692758dfb9471d7799b24bfa7a08224c31"
        },
        {
          "url": "https://git.kernel.org/stable/c/872b74900d5daa37067ac676d9001bb929fc6a2a"
        },
        {
          "url": "https://git.kernel.org/stable/c/4e453375561fc60820e6b9d8ebeb6b3ee177d42e"
        }
      ],
      "title": "ipv6: avoid overflows in ip6_datagram_send_ctl()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-31415",
    "datePublished": "2026-04-13T13:21:03.284Z",
    "dateReserved": "2026-03-09T15:48:24.087Z",
    "dateUpdated": "2026-05-11T22:08:16.113Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-31415",
      "date": "2026-05-21",
      "epss": "0.00015",
      "percentile": "0.03302"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-31415\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-04-13T14:16:10.707\",\"lastModified\":\"2026-05-20T15:41:05.197\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nipv6: avoid overflows in ip6_datagram_send_ctl()\\n\\nYiming Qian reported :\\n\u003cquote\u003e\\n I believe I found a locally triggerable kernel bug in the IPv6 sendmsg\\n ancillary-data path that can panic the kernel via `skb_under_panic()`\\n (local DoS).\\n\\n The core issue is a mismatch between:\\n\\n - a 16-bit length accumulator (`struct ipv6_txoptions::opt_flen`, type\\n `__u16`) and\\n - a pointer to the *last* provided destination-options header (`opt-\u003edst1opt`)\\n\\n when multiple `IPV6_DSTOPTS` control messages (cmsgs) are provided.\\n\\n - `include/net/ipv6.h`:\\n   - `struct ipv6_txoptions::opt_flen` is `__u16` (wrap possible).\\n (lines 291-307, especially 298)\\n - `net/ipv6/datagram.c:ip6_datagram_send_ctl()`:\\n   - Accepts repeated `IPV6_DSTOPTS` and accumulates into `opt_flen`\\n without rejecting duplicates. (lines 909-933)\\n - `net/ipv6/ip6_output.c:__ip6_append_data()`:\\n   - Uses `opt-\u003eopt_flen + opt-\u003eopt_nflen` to compute header\\n sizes/headroom decisions. (lines 1448-1466, especially 1463-1465)\\n - `net/ipv6/ip6_output.c:__ip6_make_skb()`:\\n   - Calls `ipv6_push_frag_opts()` if `opt-\u003eopt_flen` is non-zero.\\n (lines 1930-1934)\\n - `net/ipv6/exthdrs.c:ipv6_push_frag_opts()` / `ipv6_push_exthdr()`:\\n   - Push size comes from `ipv6_optlen(opt-\u003edst1opt)` (based on the\\n pointed-to header). (lines 1179-1185 and 1206-1211)\\n\\n 1. `opt_flen` is a 16-bit accumulator:\\n\\n - `include/net/ipv6.h:298` defines `__u16 opt_flen; /* after fragment hdr */`.\\n\\n 2. `ip6_datagram_send_ctl()` accepts *repeated* `IPV6_DSTOPTS` cmsgs\\n and increments `opt_flen` each time:\\n\\n - In `net/ipv6/datagram.c:909-933`, for `IPV6_DSTOPTS`:\\n   - It computes `len = ((hdr-\u003ehdrlen + 1) \u003c\u003c 3);`\\n   - It checks `CAP_NET_RAW` using `ns_capable(net-\u003euser_ns,\\n CAP_NET_RAW)`. (line 922)\\n   - Then it does:\\n     - `opt-\u003eopt_flen += len;` (line 927)\\n     - `opt-\u003edst1opt = hdr;` (line 928)\\n\\n There is no duplicate rejection here (unlike the legacy\\n `IPV6_2292DSTOPTS` path which rejects duplicates at\\n `net/ipv6/datagram.c:901-904`).\\n\\n If enough large `IPV6_DSTOPTS` cmsgs are provided, `opt_flen` wraps\\n while `dst1opt` still points to a large (2048-byte)\\n destination-options header.\\n\\n In the attached PoC (`poc.c`):\\n\\n - 32 cmsgs with `hdrlen=255` =\u003e `len = (255+1)*8 = 2048`\\n - 1 cmsg with `hdrlen=0` =\u003e `len = 8`\\n - Total increment: `32*2048 + 8 = 65544`, so `(__u16)opt_flen == 8`\\n - The last cmsg is 2048 bytes, so `dst1opt` points to a 2048-byte header.\\n\\n 3. The transmit path sizes headers using the wrapped `opt_flen`:\\n\\n- In `net/ipv6/ip6_output.c:1463-1465`:\\n  - `headersize = sizeof(struct ipv6hdr) + (opt ? opt-\u003eopt_flen +\\n opt-\u003eopt_nflen : 0) + ...;`\\n\\n With wrapped `opt_flen`, `headersize`/headroom decisions underestimate\\n what will be pushed later.\\n\\n 4. When building the final skb, the actual push length comes from\\n `dst1opt` and is not limited by wrapped `opt_flen`:\\n\\n - In `net/ipv6/ip6_output.c:1930-1934`:\\n   - `if (opt-\u003eopt_flen) proto = ipv6_push_frag_opts(skb, opt, proto);`\\n - In `net/ipv6/exthdrs.c:1206-1211`, `ipv6_push_frag_opts()` pushes\\n `dst1opt` via `ipv6_push_exthdr()`.\\n - In `net/ipv6/exthdrs.c:1179-1184`, `ipv6_push_exthdr()` does:\\n   - `skb_push(skb, ipv6_optlen(opt));`\\n   - `memcpy(h, opt, ipv6_optlen(opt));`\\n\\n With insufficient headroom, `skb_push()` underflows and triggers\\n `skb_under_panic()` -\u003e `BUG()`:\\n\\n - `net/core/skbuff.c:2669-2675` (`skb_push()` calls `skb_under_panic()`)\\n - `net/core/skbuff.c:207-214` (`skb_panic()` ends in `BUG()`)\\n\\n - The `IPV6_DSTOPTS` cmsg path requires `CAP_NET_RAW` in the target\\n netns user namespace (`ns_capable(net-\u003euser_ns, CAP_NET_RAW)`).\\n - Root (or any task with `CAP_NET_RAW`) can trigger this without user\\n namespaces.\\n - An unprivileged `uid=1000` user can trigger this if unprivileged\\n user namespaces are enabled and it can create a userns+netns to obtain\\n namespaced `CAP_NET_RAW` (the attached PoC does this).\\n\\n - Local denial of service: kernel BUG/panic (system crash).\\n -\\n---truncated---\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-617\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.6.14\",\"versionEndExcluding\":\"5.10.253\",\"matchCriteriaId\":\"DE13CD56-EF71-4FB6-8909-29C447FC8FE7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.11\",\"versionEndExcluding\":\"5.15.203\",\"matchCriteriaId\":\"20DDB3E9-AABF-4107-ADB0-5362AA067045\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"6.1.168\",\"matchCriteriaId\":\"E2DDDCA1-6DAB-4018-B920-8F045DDD8D3B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.134\",\"matchCriteriaId\":\"F56F925B-BAF8-4F4B-B62F-1496AF19A307\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.12.81\",\"matchCriteriaId\":\"6EF80433-B33B-43C5-8E64-0FA7B8DCE1BC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.13\",\"versionEndExcluding\":\"6.18.22\",\"matchCriteriaId\":\"C9DF8BCE-36D3-475D-9D21-19E4F02F9029\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.19\",\"versionEndExcluding\":\"6.19.12\",\"matchCriteriaId\":\"0A2B9540-02D5-41B4-B16A-82AF66FD4F36\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"F253B622-8837-4245-BCE5-A7BF8FC76A16\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"F666C8D8-6538-46D4-B318-87610DE64C34\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"02259FDA-961B-47BC-AE7F-93D7EC6E90C2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*\",\"matchCriteriaId\":\"1D2315C0-D46F-4F85-9754-F9E5E11374A6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*\",\"matchCriteriaId\":\"512EE3A8-A590-4501-9A94-5D4B268D6138\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0bdaf54d3aaddfe8df29371260fa8d4939b4fd6f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/2dbfb003bbf3fc0e94f07efefab0ebcf83029a2a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/4082f9984a694829153115d28c956a3534f52f29\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/4e453375561fc60820e6b9d8ebeb6b3ee177d42e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/5e4ee5dbea134e9257f205e31a96040bed71e83f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/63fda74885555e6bd1623b5d811feec998740ba4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/872b74900d5daa37067ac676d9001bb929fc6a2a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/9ed81d692758dfb9471d7799b24bfa7a08224c31\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.