CVE-2026-43083
Published: May 6, 2026
Modified: May 11, 2026
CVSS v3.1
9.1
Description
In the Linux kernel, the following vulnerability has been resolved: net: ioam6: fix OOB and missing lock When trace->type.bit6 is set: if (trace->type.bit6) { ... queue = skb_get_tx_queue(dev, skb); qdisc = rcu_dereference(queue->qdisc); This code can lead to an out-of-bounds access of the dev->_tx[] array when is_input is true. In such a case, the packet is on the RX path and skb->queue_mapping contains the RX queue index of the ingress device. If the ingress device has more RX queues than the egress device (dev) has TX queues, skb_get_queue_mapping(skb) will exceed dev->num_tx_queues. Add a check to avoid this situation since skb_get_tx_queue() does not clamp the index. This issue has also revealed that per queue visibility cannot be accurate and will be replaced later as a new feature. While at it, add missing lock around qdisc_qstats_qlen_backlog(). The function __ioam6_fill_trace_data() is called from both softirq and process contexts, hence the use of spin_lock_bh() here.
| Vendor | Product | Versions |
|---|---|---|
Linux | Linux | affected b63c5478e9cb1d1504eb02d9dac827ad24612b32 - < 6d1d9ed9b409e0662241e3d245d574a18f643494affected b63c5478e9cb1d1504eb02d9dac827ad24612b32 - < 95a1334748c95dd15546056280ade0c4b8dd7b78affected b63c5478e9cb1d1504eb02d9dac827ad24612b32 - < b30b1675aa2bcf0491fd3830b051df4e08a7c8ca |
Linux | Linux | affected 5.17unaffected 0 - < 5.17unaffected 6.18.24 - <= 6.18.*unaffected 6.19.14 - <= 6.19.*unaffected 7.0 - <= * |
CVSS v3.1 Details
CVSS v3.1 Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now