Skip to content

Dear OSG Security Contacts,

A flaw was found in the Linux kernel's IPv6 ICMP error generation (CVE-2026-43038). A remote attacker could send a specially crafted IPv4 ICMP error packet with a Common Internet Protocol Security Option (CIPSO) IP option. This could result in information disclosure or a denial of service.

WHAT ARE THE VULNERABILITIES:

The vulnerability is caused by the Linux kernel reusing packet metadata when generating IPv6 ICMP error messages. A remote attacker can send a specially crafted IPv4 ICMP error packet containing a Common Internet Protocol Security Option (CIPSO) IP option, causing IPv4 control-buffer data to be incorrectly interpreted as IPv6 metadata after the packet is cloned. Because certain fields in the IPv4 and IPv6 metadata structures overlap in memory, the attacker can influence an IPv6 offset value used during packet parsing. This may result in out-of-bounds memory access, potentially leading to information disclosure or denial of service.

The root cause is that the cloned packet's control buffer (skb2->cb[]) is not cleared before being reused, leading to type confusion between IPv4 (inet_skb_parm) and IPv6 (inet6_skb_parm) control structures.

IMPACTED VERSIONS:

Linux systems running kernel packages that do not include the fix for CVE-2026-43038 may be affected. Most major Linux vendors (Red Hat, AlmaLinux, Rocky Linux, Ubuntu, and SUSE) have released or are releasing backported fixes. Kernel version numbers alone may not be sufficient to determine exposure because vendors frequently backport security fixes without changing the upstream kernel version. Refer to your distribution's security advisory for patch status.

WHAT YOU SHOULD DO:

Apply distribution security updates as soon as vendor-backported packages become available for the kernel branches in use

Reboot patched systems to ensure the fixed kernel is active in memory.

MITIGATION

These mitigations are workarounds and do not replace installing vendor-provided security updates. Organizations may implement one or more of the following measures based on operational requirements: Drop or rate-limit untrusted ICMPv4 error packets that include IP options at perimeter firewalls and host-based filters.

Block CIPSO-tagged traffic at network boundaries where it is not operationally required.

Disable IPv6 on hosts that do not need it, reducing the reachable attack surface for ip6_err_gen_icmpv6_unreach().

Example: drop ICMPv4 packets carrying IP options at the host firewall

iptables -A INPUT -p icmp -m ipv4options --any -j DROP

REFERENCES

[1] https://access.redhat.com/security/cve/cve-2026-43038 [2] https://www.sentinelone.com/vulnerability-database/cve-2026-43038/ [3] https://ubuntu.com/security/CVE-2026-43038 [4] https://www.suse.com/security/cve/CVE-2026-43038.html [5] https://errata.almalinux.org/8/ALSA-2026-25121.html [6] https://errata.rockylinux.org/RLSA-2026:25121 Please contact the OSG security team at [email protected] if you have any questions or concerns. OSG Security Team