Cyber Posture

CVE-2026-43186

Critical

Published: 06 May 2026

Published
06 May 2026
Modified
11 May 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0018 39.4th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-43186 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190).
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SI-16 Memory Protection
addresses: CWE-787

Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Remote crafted IPv6 packet triggers out-of-bounds write in kernel IOAM receive path (public-facing network stack).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

In the Linux kernel, the following vulnerability has been resolved: ipv6: ioam: fix heap buffer overflow in __ioam6_fill_trace_data() On the receive path, __ioam6_fill_trace_data() uses trace->nodelen to decide how much data to write for each node. It trusts this field as-is…

more

from the incoming packet, with no consistency check against trace->type (the 24-bit field that tells which data items are present). A crafted packet can set nodelen=0 while setting type bits 0-21, causing the function to write ~100 bytes past the allocated region (into skb_shared_info), which corrupts adjacent heap memory and leads to a kernel panic. Add a shared helper ioam6_trace_compute_nodelen() in ioam6.c to derive the expected nodelen from the type field, and use it: - in ioam6_iptunnel.c (send path, existing validation) to replace the open-coded computation; - in exthdrs.c (receive path, ipv6_hop_ioam) to drop packets whose nodelen is inconsistent with the type field, before any data is written. Per RFC 9197, bits 12-21 are each short (4-octet) fields, so they are included in IOAM6_MASK_SHORT_FIELDS (changed from 0xff100000 to 0xff1ffc00).

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s)
CWE-787

Affected Products

linux
linux kernel
5.15 — 5.15.202 · 5.16 — 6.1.165 · 6.2 — 6.6.128

CVEs Like This One

CVE-2026-43037Same product: Linux Linux Kernel
CVE-2026-31705Same product: Linux Linux Kernel
CVE-2026-23112Same product: Linux Linux Kernel
CVE-2026-31631Same product: Linux Linux Kernel
CVE-2025-71155Same product: Linux Linux Kernel
CVE-2026-31470Same product: Linux Linux Kernel
CVE-2025-21869Same product: Linux Linux Kernel
CVE-2026-31772Same product: Linux Linux Kernel
CVE-2024-56784Same product: Linux Linux Kernel
CVE-2026-23378Same product: Linux Linux Kernel

References