CVE-2026-43341 Overview
CVE-2026-43341 is a kernel memory corruption vulnerability in the Linux kernel's IPv6 In-situ Operations, Administration, and Maintenance (IOAM6) implementation. The flaw resides in ioam6_fill_trace_data(), where the schema contribution to trace length is stored in a u8 variable. When bit 22 is enabled with the largest schema payload, sclen computes to 1 + 1020 / 4 and wraps from 256 to 0. This wraparound bypasses the remaining-space check, allowing __ioam6_fill_trace_data() to overrun the trace buffer when copying the 4-byte schema header and the full schema payload.
Critical Impact
Network-reachable attackers can trigger an out-of-bounds write in kernel memory through crafted IOAM6-enabled IPv6 traffic, potentially leading to kernel memory corruption and code execution.
Affected Products
- Linux Kernel (multiple stable branches)
- Linux Kernel 7.0-rc1 through 7.0-rc7
- Distributions shipping affected kernel versions with IPv6 IOAM6 enabled
Discovery Timeline
- 2026-05-08 - CVE-2026-43341 published to NVD
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2026-43341
Vulnerability Analysis
The vulnerability is an integer truncation issue [CWE-197] leading to an out-of-bounds write [CWE-787] in the Linux kernel networking stack. The IOAM6 subsystem implements the IETF In-situ OAM specification for IPv6, embedding telemetry metadata into the IPv6 hop-by-hop extension header. The ioam6_fill_trace_data() routine calculates how many 4-byte units the schema fields contribute to the trace length and stores the result in an 8-bit variable.
With a maximum schema payload of 1020 bytes plus the 4-byte schema header, the computed length is 256 4-byte units. Because the storage type is u8, the value wraps to 0. The remaining-space sanity check therefore concludes that no space is required for the schema, while the subsequent write path advances the cursor and copies the schema bytes into the buffer. The result is a heap or stack overflow in kernel context, depending on how the trace buffer is allocated.
Root Cause
The root cause is improper integer type selection. The schema length variable sclen is declared as u8 but holds a value derived from a 1020-byte payload divided by 4 plus one header unit. The computation exceeds UINT8_MAX (255), wrapping to 0 and silently invalidating the bounds check. The upstream fix widens sclen to unsigned int so both the remaining-space comparison and the write cursor arithmetic observe the true schema length.
Attack Vector
An unauthenticated remote attacker can deliver crafted IPv6 packets containing IOAM6 hop-by-hop options with bit 22 set and a maximum schema payload to a vulnerable host. Processing the packet triggers the wraparound condition in ioam6_fill_trace_data() and corrupts adjacent kernel memory. Successful exploitation can result in denial of service through kernel panic or, with sufficient control of the overflowed region, kernel code execution.
No verified public exploit code is available. The vulnerability mechanism is described in the upstream kernel commits referenced in the Kernel Git Commit 184d2e9 and related stable patches.
Detection Methods for CVE-2026-43341
Indicators of Compromise
- Unexpected kernel oops or panic messages referencing ioam6_fill_trace_data or __ioam6_fill_trace_data in dmesg or /var/log/kern.log.
- Inbound IPv6 packets carrying hop-by-hop IOAM6 options with the IOAM trace type bit 22 set and unusually large schema payloads.
- KASAN reports indicating slab or stack out-of-bounds writes originating from the IOAM6 trace fill path.
Detection Strategies
- Inspect IPv6 hop-by-hop extension headers at network ingress for IOAM6 options with maximum-length schema fields and abnormal trace type flags.
- Enable CONFIG_KASAN on test kernels to catch the out-of-bounds write during fuzzing or staged rollouts.
- Correlate kernel crash telemetry with IPv6 traffic anomalies using EDR or host-based telemetry that captures kernel events.
Monitoring Recommendations
- Monitor host kernel logs for traces in the net/ipv6/ioam6.c code path and alert on repeated occurrences across fleet hosts.
- Track running kernel versions inventory-wide and flag systems still on pre-patch builds where IOAM6 is enabled.
- Capture netflow or packet metadata for IPv6 traffic carrying hop-by-hop options to baseline normal IOAM6 usage and detect abuse.
How to Mitigate CVE-2026-43341
Immediate Actions Required
- Apply the upstream Linux kernel patches referenced in the stable tree commits and reboot affected hosts.
- If patching is not immediately feasible, disable IOAM6 ingress processing on IPv6 interfaces where the feature is not required.
- Drop or filter inbound IPv6 packets containing hop-by-hop IOAM6 options at network perimeter and host firewalls.
Patch Information
The Linux kernel maintainers shipped fixes across multiple stable branches. The change keeps sclen in an unsigned int so the remaining-space check and the write cursor calculation observe the full schema length. Reference commits: Kernel Git Commit 184d2e9, Kernel Git Commit 5e67ba9, Kernel Git Commit 77695a6, Kernel Git Commit d1b0410, Kernel Git Commit d6e1c9b, and Kernel Git Commit e96d48b.
Workarounds
- Use nftables or ip6tables to drop IPv6 packets containing hop-by-hop extension headers with IOAM option type at the host or perimeter.
- Unload or disable the IOAM6 functionality where not in use by ensuring no namespaces are configured with IOAM6 schemas.
- Restrict IPv6 routing of hop-by-hop options to trusted infrastructure segments only.
# Drop inbound IPv6 packets carrying hop-by-hop extension headers at the host
sudo nft add table inet filter
sudo nft add chain inet filter input '{ type filter hook input priority 0; }'
sudo nft add rule inet filter input meta nfproto ipv6 exthdr hbh exists drop
# Verify current running kernel and IOAM6 module status
uname -r
grep CONFIG_IPV6_IOAM6 /boot/config-$(uname -r)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
