Skip to content

Dear OSG Security Contacts,

A flaw was found in the Linux kernel's IPv6 tunnel implementation (CVE-2026-43037). An unauthenticated remote attacker could exploit this flaw by sending malicious ICMPv6 error messages to trigger a stack-based buffer overflow in the kernel's IPv4-over-IPv6 tunnel error handling code. This could result in a kernel crash (denial of service) or potentially allow arbitrary code execution with kernel privileges.

WHAT ARE THE VULNERABILITIES:

This Critical flaw in the Linux kernel's IPv6 tunneling error handling can lead to a stack buffer overflow. A remote attacker can send a specially crafted ICMP error packet through an affected IPv6 tunnel endpoint, causing the kernel to copy attacker-controlled data beyond the bounds of a fixed 40-byte stack buffer. Successful exploitation could lead to a denial of service or potentially arbitrary code execution with elevated privileges.

IMPACTED VERSIONS:

Linux systems running kernel packages that do not include the fix for CVE-2026-43037 may be affected. Most major Linux vendors (Red Hat, AlmaLinux, Rocky Linux, Ubuntu, and SUSE) have released or are releasing backported fixes. Kernel version numbers alone may not be sufficient to determine exposure because vendors frequently backport security fixes without changing the upstream kernel version. Refer to your distribution's security advisory for patch status.

WHAT YOU SHOULD DO:

Apply patches as they become available.

Administrators can determine whether the affected module is currently loaded by running: lsmod | grep ip6_tunnel

As a temporary mitigation, systems that do not require IPv4-over-IPv6 tunneling functionality should consider disabling or blacklisting the affected ip6_tunnel module until vendor fixes have been applied. Blacklisting the module will prevent it from being loaded at boot time. How do I blacklist a kernel module to prevent it from loading automatically? https://access.redhat.com/solutions/41278 We may also want to detection and monitoring an affected system as below: Monitor for exploitation attempts:

Enable kernel audit for IPv6 tunnel operations

auditctl -a always,exit -F arch=b64 -S socket -F a0=10 -F a1=3 -k ipv6_tunnel

Monitor system logs for kernel panics/crashes

journalctl -k -p err -f | grep -i "ip6_tunnel|icmp|stack"

REFERENCES

[1] https://access.redhat.com/security/cve/cve-2026-43037 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-43037 [3] https://www.sentinelone.com/vulnerability-database/cve-2026-43037/ Please contact the OSG security team at [email protected] if you have any questions or concerns. OSG Security Team