CVE-2026-43083 Overview
CVE-2026-43083 affects the Linux kernel's In-situ Operations, Administration, and Maintenance for IPv6 (ioam6) subsystem. The vulnerability stems from an out-of-bounds (OOB) access in the dev->_tx[] array and a missing lock around qdisc_qstats_qlen_backlog() inside __ioam6_fill_trace_data(). When trace->type.bit6 is set on the receive path, skb->queue_mapping carries the RX queue index of the ingress device. If that index exceeds the egress device's num_tx_queues, skb_get_tx_queue() returns an invalid pointer because it does not clamp the index. The Linux kernel maintainers have resolved the issue through patches in mainline and stable trees.
Critical Impact
A malformed IPv6 packet processed by the IOAM6 trace handler can trigger an out-of-bounds read on dev->_tx[], leading to kernel memory corruption or denial of service on systems with asymmetric RX/TX queue counts.
Affected Products
- Linux kernel versions containing the net: ioam6 trace data implementation prior to the fixing commits
- Linux distributions shipping vulnerable stable kernels
- Systems with IPv6 IOAM6 (CONFIG_IPV6_IOAM6) enabled and asymmetric RX/TX queue configurations
Discovery Timeline
- 2026-05-06 - CVE-2026-43083 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43083
Vulnerability Analysis
The vulnerability exists in __ioam6_fill_trace_data() within the Linux kernel's IPv6 IOAM6 implementation. When trace->type.bit6 is set, the function calls skb_get_tx_queue(dev, skb) followed by rcu_dereference(queue->qdisc) to populate per-queue trace fields. On the receive path (is_input is true), skb->queue_mapping represents the RX queue index of the ingress device, not the egress device. If the ingress device has more RX queues than the egress device has TX queues, the index returned by skb_get_queue_mapping(skb) exceeds dev->num_tx_queues. Because skb_get_tx_queue() does not clamp the index, the resulting pointer reads beyond the bounds of the dev->_tx[] array.
Root Cause
Two distinct defects coexist in __ioam6_fill_trace_data(). The first is the missing bounds check on skb_get_queue_mapping(skb) against dev->num_tx_queues before dereferencing the TX queue array [CWE-125]. The second is the missing lock around qdisc_qstats_qlen_backlog(), which is invoked from both softirq and process contexts and therefore requires spin_lock_bh() to prevent concurrent modification of qdisc statistics.
Attack Vector
An attacker positioned to inject IPv6 packets carrying an IOAM6 Hop-by-Hop option with trace->type.bit6 set can trigger the OOB read on hosts where IOAM6 is enabled and where the ingress NIC has more RX queues than an egress device has TX queues. The condition is reachable on any forwarding or terminating host with such queue asymmetry. Successful triggering reads adjacent kernel memory through an arbitrary qdisc pointer, potentially producing kernel panics, memory disclosure, or further memory corruption depending on the layout of structures following dev->_tx[].
No public exploit code is available. The kernel maintainers also note that per-queue visibility cannot be accurate in this design and will be replaced as a separate feature.
Detection Methods for CVE-2026-43083
Indicators of Compromise
- Unexpected kernel oops or panic messages referencing __ioam6_fill_trace_data, skb_get_tx_queue, or qdisc_qstats_qlen_backlog in dmesg and /var/log/kern.log
- KASAN reports flagging out-of-bounds reads inside the ioam6 code path
- Inbound IPv6 traffic carrying Hop-by-Hop IOAM6 trace options on hosts that do not normally participate in IOAM6 telemetry
Detection Strategies
- Audit running kernels for the presence of the fixing commits 6d1d9ed9b409, 95a1334748c9, and b30b1675aa2b to confirm patch status
- Inspect /proc/sys/net/ipv6/ioam6_* and namespace IOAM6 schema/namespace tables to identify hosts with IOAM6 enabled
- Capture IPv6 traffic with a packet analyzer and filter for Hop-by-Hop options containing the IOAM6 trace type to identify unexpected senders
Monitoring Recommendations
- Forward kernel ring buffer entries and crash dumps to a centralized logging platform for correlation across fleets
- Track NIC queue configurations (ethtool -l) on routers and high-throughput hosts to identify asymmetric RX/TX setups that satisfy the trigger condition
- Alert on new IPv6 IOAM6 Hop-by-Hop options observed at network ingress points where IOAM6 is not part of the operational design
How to Mitigate CVE-2026-43083
Immediate Actions Required
- Update affected systems to a Linux kernel version that includes the upstream fixes referenced in the kernel.org commits
- Where patching is not yet possible, disable IOAM6 by ensuring no IOAM6 namespaces or schemas are configured and by blocking inbound IPv6 Hop-by-Hop IOAM6 options at the network edge
- Inventory hosts with CONFIG_IPV6_IOAM6=y and prioritize patching forwarding nodes and hosts with asymmetric RX/TX queue counts
Patch Information
The fix adds a bounds check so that __ioam6_fill_trace_data() skips the per-queue path when skb_get_queue_mapping(skb) is greater than or equal to dev->num_tx_queues, and wraps qdisc_qstats_qlen_backlog() with spin_lock_bh() to handle the dual softirq and process context invocation. The fix is distributed across the following commits:
Workarounds
- Drop IPv6 packets containing Hop-by-Hop IOAM6 trace options at perimeter firewalls and ingress routers until kernels are patched
- Avoid configuring IOAM6 namespaces and schemas on production hosts that do not require IOAM6 telemetry
- Where feasible, align RX queue counts on ingress NICs with TX queue counts on potential egress devices to remove the asymmetry that triggers the OOB read
# Verify whether IOAM6 is configured on a host
ip ioam namespace show
ip ioam schema show
# Inspect NIC queue counts to identify asymmetric configurations
ethtool -l eth0
# Confirm the running kernel includes the fix (example for Debian/Ubuntu)
uname -r
grep -E 'ioam6|__ioam6_fill_trace_data' /proc/kallsyms | head
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
