CVE-2026-43038— IPv6 ICMP ip6_err_gen_icmpv6_unreach() 内存越界漏洞
获取后续新漏洞提醒登录后订阅
一、 漏洞 CVE-2026-43038 基础信息
漏洞信息
对漏洞内容有疑问?看看神龙的深度分析是否有帮助!
查看神龙十问 ↗ 尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach()
来源: 美国国家漏洞数据库 NVD
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach() Sashiko AI-review observed: In ip6_err_gen_icmpv6_unreach(), the skb is an outer IPv4 ICMP error packet where its cb contains an IPv4 inet_skb_parm. When skb is cloned into skb2 and passed to icmp6_send(), it uses IP6CB(skb2). IP6CB interprets the IPv4 inet_skb_parm as an inet6_skb_parm. The cipso offset in inet_skb_parm.opt directly overlaps with dsthao in inet6_skb_parm at offset 18. If an attacker sends a forged ICMPv4 error with a CIPSO IP option, dsthao would be a non-zero offset. Inside icmp6_send(), mip6_addr_swap() is called and uses ipv6_find_tlv(skb, opt->dsthao, IPV6_TLV_HAO). This would scan the inner, attacker-controlled IPv6 packet starting at that offset, potentially returning a fake TLV without checking if the remaining packet length can hold the full 18-byte struct ipv6_destopt_hao. Could mip6_addr_swap() then perform a 16-byte swap that extends past the end of the packet data into skb_shared_info? Should the cb array also be cleared in ip6_err_gen_icmpv6_unreach() and ip6ip6_err() to prevent this? This patch implements the first suggestion. I am not sure if ip6ip6_err() needs to be changed. A separate patch would be better anyway.
来源: 美国国家漏洞数据库 NVD
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
来源: 美国国家漏洞数据库 NVD
Vulnerability Type
N/A
来源: 美国国家漏洞数据库 NVD
受影响产品
二、漏洞 CVE-2026-43038 的公开POC
| # | POC 描述 | 源链接 | 神龙链接 |
|---|
AI 生成 POC高级
未找到公开 POC。
登录以生成 AI POC三、漏洞 CVE-2026-43038 的情报信息
Please 登录 to view more intelligence information
同批安全公告 · Linux · 2026-05-01 · 共 146 条
| CVE-2026-43011 | 9.8 CRITICAL | Linux X.25模块 潜在双重释放漏洞 |
| CVE-2026-43037 | 9.8 CRITICAL | ip6_tunnel 远程代码执行漏洞 |
| CVE-2026-31705 | 9.8 CRITICAL | ksmbd smb2_get_ea() EA对齐越界写入漏洞 |
| CVE-2026-43039 | 9.8 CRITICAL | TI ICSSG PRUSS 以太网驱动 ZC RX 调度数据拷贝缺失及回收错误漏洞 |
| CVE-2026-31718 | 9.8 CRITICAL | Linux ksmbd 远程代码执行漏洞 |
| CVE-2026-43018 | 8.8 HIGH | 蓝牙hci_event:修复hci_le_remote_conn_param_req_evt中的UAF漏洞 |
| CVE-2026-31773 | 8.8 HIGH | 蓝牙 SMP 遗留响应者 STK 认证漏洞 |
| CVE-2026-31739 | 8.8 HIGH | Tegra 驱动缺少 CRYPTO_ALG_ASYNC 标志漏洞 |
| CVE-2026-31735 | 8.8 HIGH | iommupt: 修复映射中短收集漏洞 |
| CVE-2026-31717 | 8.8 HIGH | ksmbd 持久句柄重连所有者验证漏洞 |
| CVE-2026-31706 | 8.8 HIGH | ksmbd: smb_inherit_dacl() 访问控制验证与强化漏洞 |
| CVE-2026-43048 | 8.8 HIGH | HID核心模块移除虚假memset导致越界访问漏洞 |
| CVE-2026-31709 | 8.8 HIGH | SMB客户端cifsacl DACL重写前验证漏洞 |
| CVE-2026-31712 | 8.3 HIGH | ksmbd smb_check_perm_dacl权限检查漏洞 |
| CVE-2026-31771 | 8.1 HIGH | 蓝牙 hci_event 唤醒原因存储漏洞 |
| CVE-2026-31779 | 8.1 HIGH | iwlwifi iwl_mvm_nd_match_info_handler 越界读取漏洞 |
| CVE-2026-31708 | 8.1 HIGH | smb2_ioctl_query_info 越界读取漏洞 |
| CVE-2026-43051 | 8.1 HIGH | Wacom HID驱动程序越界读取漏洞 |
| CVE-2026-31780 | 7.8 HIGH | wilc1000 SSID扫描缓冲区大小计算u8溢出漏洞 |
| CVE-2026-31782 | 7.8 HIGH | Intel PMU intel_pmu_hw_config 潜在容器索引错误漏洞 |
显示前 20 条,共 146 条。 查看全部 → →
IV. Related Vulnerabilities
V. Comments for CVE-2026-43038
暂无评论