Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
Critical

Linux kernel IPv6 ICMP control-buffer type confusion leading to out-of-bounds write

IdentifiersCVE-2026-43038CWE-787

CVE-2026-43038 is a Linux kernel networking flaw in IPv6 ICMP error handling, specifically in ip6_err_gen_icmpv6_unreach(). The vulnerable path clones an skb representing an outer IPv4 ICMP error packet into skb2 without clearing skb2->cb[]. The original control buffer contains IPv4 inet_skb_parm state, but the cloned packet is later passed to icmp6_send(), which interprets the same cb area as IPv6 inet6_skb_parm via IP6CB(skb2). Because fields overlap in memory, the cipso offset in inet_skb_parm.opt can be reinterpreted as the dsthao field in inet6_skb_parm. A forged ICMPv4 error carrying a CIPSO IP option can therefore make dsthao non-zero and influence subsequent IPv6 option parsing. In icmp6_send(), mip6_addr_swap() calls ipv6_find_tlv(skb, opt->dsthao, IPV6_TLV_HAO), causing scanning of an inner attacker-controlled IPv6 packet from an attacker-influenced offset. The reported issue is that this can yield a fake Home Address Option TLV without ensuring sufficient remaining packet length for the full struct ipv6_destopt_hao, creating the possibility of a 16-byte swap extending past packet data and into adjacent skb memory. The fix clears skb2->cb[] in ip6_err_gen_icmpv6_unreach() before IPv6 processing.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation may allow a remote unauthenticated attacker to trigger memory corruption in the kernel networking stack. Based on the provided analysis, the primary consequence is a potential out-of-bounds 16-byte write/read during mip6_addr_swap() when attacker-controlled packet contents cause malformed IPv6 TLV handling. This can plausibly result in kernel crash or denial of service, and may also enable broader compromise effects such as corruption of adjacent skb metadata with possible confidentiality, integrity, and availability impact. The supplied context notes CVSS v3.1 9.8 from NVD/Linux Kernel CNA, indicating severe potential impact.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by filtering or rate-limiting untrusted ICMPv4 error traffic at network boundaries where feasible, especially traffic capable of reaching systems that process encapsulated or translated IPv6-related error paths. Minimize acceptance of unusual IPv4 IP options such as CIPSO from untrusted sources where operationally possible. These are only partial mitigations; the definitive mitigation is to deploy the patched kernel.

Remediation

Patch, then assume compromise.

Apply a Linux kernel version containing the fix for CVE-2026-43038, which clears skb2->cb[] in ip6_err_gen_icmpv6_unreach(). Vendor-provided kernel updates should be installed from the relevant distribution channels. The provided context specifically references SUSE kernel updates that include this fix across multiple product lines; affected environments should upgrade to the vendor-fixed kernel package version for their platform and reboot after installation.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
LinuxLinux Kerneloperating_system
Rocky LinuxKerneloperating_system
Rocky LinuxKernel-Rtoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

9 sources tracked across advisories and community write-ups. News coverage will land here when it surfaces.

9 SOURCESView more in app

No news coverage yet. Advisories and community discussion only.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity2

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-43038
NVD
nvd.nist.gov/vuln/detail/CVE-2026-43038
MITRE CWE · CWE-787
cwe.mitre.org
Patch
git.kernel.org/stable/c/0452b6526b2f54b2413b9cb4ff1ea2ac542c99c7
Patch
git.kernel.org/stable/c/1ceeebd5bd6d855b17a5df625109bfe29129d7cf
Patch
git.kernel.org/stable/c/3d5127d998de617b130aae96b138dba22ac6a8a7
Patch
git.kernel.org/stable/c/86ab3e55673a7a49a841838776f1ab18d23a67b5
Patch
git.kernel.org/stable/c/a2edbb6393972a02114b6003953a5cef3104fada
Patch
git.kernel.org/stable/c/a4437faf135da293d16fcc4cc607316742bd0ebb
Patch
git.kernel.org/stable/c/c438ba010171b70bad22fc18b1d5bdc3627476e8
Patch
git.kernel.org/stable/c/e41953e7d118e2702bcb217879c173d9d1d3cd4e