CVE-2026-43037
Published: 01 May 2026
Summary
CVE-2026-43037 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by applying kernel patches that clear skb2->cb[] and add IPv4 header validation, preventing the stack buffer overflow in ip4ip6_err().
Requires validation of attacker-controlled packet data and headers in the ip6_tunnel error path to avoid misinterpretation of inet6_skb_parm as inet_skb_parm leading to overflow.
Provides kernel memory protections such as stack canaries and non-executable memory to limit exploitation impact of the stack buffer overflow even if unpatched.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remote unauthenticated stack buffer overflow in the Linux kernel IP tunneling module, exploitable via crafted IPv6 packets over the network, directly mapping to exploitation of a public-facing vulnerability for initial access and code execution.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: clear skb2->cb[] in ip4ip6_err() Oskar Kjos reported the following problem. ip4ip6_err() calls icmp_send() on a cloned skb whose cb[] was written by the IPv6 receive path as struct inet6_skb_parm.…
more
icmp_send() passes IPCB(skb2) to __ip_options_echo(), which interprets that cb[] region as struct inet_skb_parm (IPv4). The layouts differ: inet6_skb_parm.nhoff at offset 14 overlaps inet_skb_parm.opt.rr, producing a non-zero rr value. __ip_options_echo() then reads optlen from attacker-controlled packet data at sptr[rr+1] and copies that many bytes into dopt->__data, a fixed 40-byte stack buffer (IP_OPTIONS_DATA_FIXED_SIZE). To fix this we clear skb2->cb[], as suggested by Oskar Kjos. Also add minimal IPv4 header validation (version == 4, ihl >= 5).
Deeper analysisAI
CVE-2026-43037 is a vulnerability in the Linux kernel's ip6_tunnel module, specifically within the ip4ip6_err() function. The issue arises when ip4ip6_err() calls icmp_send() on a cloned socket buffer (skb) whose control block (cb[]) has been populated by the IPv6 receive path as a struct inet6_skb_parm. The icmp_send() function then passes IPCB(skb2) to __ip_options_echo(), which misinterprets the cb[] region as a struct inet_skb_parm for IPv4 processing. Due to differing layouts—particularly inet6_skb_parm.nhoff at offset 14 overlapping inet_skb_parm.opt.rr—this results in a non-zero record route (rr) value, causing __ip_options_echo() to read an optlen from attacker-controlled packet data at sptr[rr+1] and copy that many bytes into a fixed 40-byte stack buffer (IP_OPTIONS_DATA_FIXED_SIZE), leading to a stack-based buffer overflow.
A remote, unauthenticated attacker can exploit this vulnerability by sending crafted IPv6 packets that trigger the ip4ip6_err() path in IP-in-IP6 tunneling scenarios. The CVSS 3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) reflects its high severity, with network accessibility, low attack complexity, and no privileges required. Successful exploitation enables high-impact confidentiality, integrity, and availability violations, potentially allowing arbitrary code execution, data corruption, or system crashes via the stack buffer overflow.
Kernel patches addressing this vulnerability, available in stable repositories, clear the skb2->cb[] area before processing and add minimal IPv4 header validation to ensure version 4 and IHL >= 5. Relevant commits include 1063515ce15ff31065c4e7f8265f4c2fd3c54876, 2cc6e3b0fe0f0242d1f530a93a4924f48ab85ba5, 2edfa31769a4add828a7e604b21cb82aaaa05925, 4a622658f384b03560834cbe8ffcfe69a278f7c8, and 590f622669b97eaf7b57a1de7b0a6e68c5d8b2c3. Security practitioners should update to kernels incorporating these fixes to mitigate exposure in environments using IP6 tunneling.
Details
- CWE(s)