CVE-2026-43037 Overview
CVE-2026-43037 is an out-of-bounds write vulnerability [CWE-787] in the Linux kernel's IPv6 tunneling subsystem. The flaw resides in the ip4ip6_err() function within ip6_tunnel, where a cloned skb retains control buffer (cb[]) data written by the IPv6 receive path as struct inet6_skb_parm. When icmp_send() subsequently passes IPCB(skb2) to __ip_options_echo(), the function reinterprets that region as struct inet_skb_parm (IPv4). The layout mismatch causes inet6_skb_parm.nhoff at offset 14 to overlap inet_skb_parm.opt.rr, producing a non-zero rr value that drives a stack buffer overflow.
Critical Impact
A remote, unauthenticated attacker can trigger an out-of-bounds write into a fixed 40-byte kernel stack buffer (IP_OPTIONS_DATA_FIXED_SIZE), enabling potential remote code execution or kernel memory corruption with no user interaction.
Affected Products
- Linux kernel (multiple stable branches, per upstream commits)
- Linux kernel 7.0 release candidates rc1 through rc6
- Distributions shipping unpatched kernels with ip6_tunnel (ip4ip6) support enabled
Discovery Timeline
- 2026-05-01 - CVE-2026-43037 published to NVD
- 2026-05-04 - Last updated in NVD database
Technical Details for CVE-2026-43037
Vulnerability Analysis
The vulnerability is an out-of-bounds write triggered through the IPv6-in-IPv4 tunnel error path. When ip4ip6_err() processes an ICMP error for a tunneled packet, it operates on a cloned skb whose cb[] control buffer was previously populated by the IPv6 receive path. That buffer is structured as struct inet6_skb_parm. The error path then invokes icmp_send(), which treats IPCB(skb2) as struct inet_skb_parm for IPv4 processing.
Because the two structures have different field layouts, the IPv6 nhoff field at offset 14 collides with the IPv4 opt.rr field. __ip_options_echo() reads this stale rr value and uses it as an index into attacker-controlled inner packet data. It then reads optlen from sptr[rr+1] and copies that many bytes into dopt->__data, a fixed 40-byte stack buffer (IP_OPTIONS_DATA_FIXED_SIZE). An optlen exceeding 40 produces a stack-based out-of-bounds write.
Root Cause
The root cause is failure to clear the skb->cb[] control buffer when transitioning a cloned skb between IPv6 and IPv4 protocol layers. Stale inet6_skb_parm data is misinterpreted as inet_skb_parm. A secondary issue is the absence of minimal IPv4 header validation (version == 4, ihl >= 5) before the inner packet is parsed.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker sends a crafted ICMP error referencing a malformed inner IPv4 packet through an ip4ip6 tunnel endpoint. When the kernel processes the error, the layout confusion produces a non-zero rr index, and attacker-supplied bytes from the inner packet are copied past the 40-byte stack buffer. Successful exploitation can corrupt kernel stack memory, leading to denial of service or privileged code execution. The fix clears skb2->cb[] in ip4ip6_err() and adds the missing IPv4 header sanity checks. See the upstream commits at git.kernel.org for the patch series.
Detection Methods for CVE-2026-43037
Indicators of Compromise
- Unexpected kernel oops or stack-protector panics referencing __ip_options_echo, icmp_send, or ip4ip6_err in dmesg and /var/log/kern.log.
- Inbound ICMPv6 error messages whose embedded inner packet carries malformed IPv4 headers (invalid version or ihl < 5) directed at ip4ip6 tunnel endpoints.
- Crashes or kernel panics on hosts running ip6_tunnel with ip4ip6 mode enabled.
Detection Strategies
- Inventory hosts loading the ip6_tunnel module (lsmod | grep ip6_tunnel) and correlate with kernel versions vulnerable per the upstream commit list.
- Deploy network monitoring rules that flag ICMPv6 errors carrying malformed inner IPv4 packets toward tunnel endpoints.
- Enable kernel hardening telemetry (KASAN, stack canaries) in test environments to surface the out-of-bounds write during fuzzing or red-team exercises.
Monitoring Recommendations
- Forward kernel logs and crash dumps to a centralized analytics platform and alert on signatures referencing __ip_options_echo or stack-protector failures in network softirq context.
- Track patch state across the Linux fleet using configuration management and flag systems still running pre-patch kernels with IPv6 tunneling enabled.
- Monitor for anomalous ICMPv6 traffic patterns terminating on tunnel interfaces (ip6tnl*, sit*).
How to Mitigate CVE-2026-43037
Immediate Actions Required
- Apply the upstream Linux kernel patches that clear skb2->cb[] in ip4ip6_err() and add IPv4 header validation. See commits 590f622669b9 and a0c4ce9900a1.
- Update to a fixed kernel build from your distribution as soon as backports are released.
- On hosts that do not require IPv6-in-IPv4 tunneling, unload or blacklist the ip6_tunnel module to remove the vulnerable code path.
Patch Information
The Linux kernel maintainers released the fix across multiple stable branches. Patch commits are available at 1063515ce15f, 2cc6e3b0fe0f, 2edfa31769a4, 4a622658f384, d6621f60192f, and ea9f65b27c84. Apply the commit corresponding to your kernel branch or upgrade to a release that includes the fix.
Workarounds
- Blacklist the ip6_tunnel module by adding blacklist ip6_tunnel to /etc/modprobe.d/blacklist.conf on hosts that do not need ip4ip6 tunnels.
- Filter ICMPv6 error traffic at perimeter firewalls for hosts exposing ip4ip6 tunnel endpoints to untrusted networks.
- Disable IPv6 tunnel interfaces with ip link set <ip6tnl_iface> down where the functionality is not in use.
# Configuration example: disable and blacklist ip6_tunnel where not required
sudo ip link set ip6tnl0 down 2>/dev/null
echo "blacklist ip6_tunnel" | sudo tee /etc/modprobe.d/disable-ip6tunnel.conf
sudo rmmod ip6_tunnel 2>/dev/null
uname -r # verify kernel version after patching
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
