Cyber Resilience

CVE-2026-43037

CriticalUpdated

Published: 01 May 2026

Published
01 May 2026
Modified
27 June 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0056 42.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-43037 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-43037 is a vulnerability in the Linux kernel's ip6_tunnel module, specifically within the ip4ip6_err() function. The issue arises when ip4ip6_err() calls icmp_send() on a cloned socket buffer (skb) whose control block (cb[]) has been populated by the IPv6 receive path as a struct inet6_skb_parm. The icmp_send() function then passes IPCB(skb2) to __ip_options_echo(), which misinterprets the cb[] region as a struct inet_skb_parm for IPv4 processing. Due to differing layouts—particularly inet6_skb_parm.nhoff at offset 14 overlapping inet_skb_parm.opt.rr—this results in a non-zero record route (rr) value, causing __ip_options_echo() to read an optlen from attacker-controlled packet data at sptr[rr+1] and copy that many bytes into a fixed 40-byte stack buffer (IP_OPTIONS_DATA_FIXED_SIZE), leading to a stack-based buffer overflow.

A remote, unauthenticated attacker can exploit this vulnerability by sending crafted IPv6 packets that trigger the ip4ip6_err() path in IP-in-IP6 tunneling scenarios. The CVSS 3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) reflects its high severity, with network accessibility, low attack complexity, and no privileges required. Successful exploitation enables high-impact confidentiality, integrity, and availability violations, potentially allowing arbitrary code execution, data corruption, or system crashes via the stack buffer overflow.

Kernel patches addressing this vulnerability, available in stable repositories, clear the skb2->cb[] area before processing and add minimal IPv4 header validation to ensure version 4 and IHL >= 5. Relevant commits include 1063515ce15ff31065c4e7f8265f4c2fd3c54876, 2cc6e3b0fe0f0242d1f530a93a4924f48ab85ba5, 2edfa31769a4add828a7e604b21cb82aaaa05925, 4a622658f384b03560834cbe8ffcfe69a278f7c8, and 590f622669b97eaf7b57a1de7b0a6e68c5d8b2c3. Security practitioners should update to kernels incorporating these fixes to mitigate exposure in environments using IP6 tunneling.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: clear skb2->cb[] in ip4ip6_err() Oskar Kjos reported the following problem. ip4ip6_err() calls icmp_send() on a cloned skb whose cb[] was written by the IPv6 receive path as struct inet6_skb_parm.…

more

icmp_send() passes IPCB(skb2) to __ip_options_echo(), which interprets that cb[] region as struct inet_skb_parm (IPv4). The layouts differ: inet6_skb_parm.nhoff at offset 14 overlaps inet_skb_parm.opt.rr, producing a non-zero rr value. __ip_options_echo() then reads optlen from attacker-controlled packet data at sptr[rr+1] and copies that many bytes into dopt->__data, a fixed 40-byte stack buffer (IP_OPTIONS_DATA_FIXED_SIZE). To fix this we clear skb2->cb[], as suggested by Oskar Kjos. Also add minimal IPv4 header validation (version == 4, ihl >= 5).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The CVE describes a remote unauthenticated stack buffer overflow in the Linux kernel IP tunneling module, exploitable via crafted IPv6 packets over the network, directly mapping to exploitation of a public-facing vulnerability for initial access and code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-43186Same product: Linux Linux Kernel
CVE-2026-31478Same product: Linux Linux Kernel
CVE-2026-31631Same product: Linux Linux Kernel
CVE-2026-31649Same product: Linux Linux Kernel
CVE-2026-31705Same product: Linux Linux Kernel
CVE-2026-31668Same product: Linux Linux Kernel
CVE-2026-31414Same product: Linux Linux Kernel
CVE-2026-23427Same product: Linux Linux Kernel
CVE-2026-43055Same product: Linux Linux Kernel
CVE-2026-22984Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
7.0 · 2.6.22 — 5.10.253 · 5.11 — 5.15.203 · 5.16 — 6.1.168

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by applying kernel patches that clear skb2->cb[] and add IPv4 header validation, preventing the stack buffer overflow in ip4ip6_err().

prevent

Requires validation of attacker-controlled packet data and headers in the ip6_tunnel error path to avoid misinterpretation of inet6_skb_parm as inet_skb_parm leading to overflow.

prevent

Provides kernel memory protections such as stack canaries and non-executable memory to limit exploitation impact of the stack buffer overflow even if unpatched.

References