In the Linux kernel, the following vulnerability has been resolved:
ipv6: avoid overflows in ip6_datagram_send_ctl()
Yiming Qian reported :
<quote>
I believe I found a locally triggerable kernel bug in the IPv6 sendmsg
ancillary-data path that can panic the kernel via skb_under_panic()
(local DoS).
The core issue is a mismatch between:
struct ipv6_txoptions::opt_flen, type__u16) andopt->dst1opt)when multiple IPV6_DSTOPTS control messages (cmsgs) are provided.
include/net/ipv6.h:struct ipv6_txoptions::opt_flen is __u16 (wrap possible).net/ipv6/datagram.c:ip6_datagram_send_ctl():IPV6_DSTOPTS and accumulates into opt_flennet/ipv6/ip6_output.c:__ip6_append_data():opt->opt_flen + opt->opt_nflen to compute headernet/ipv6/ip6_output.c:__ip6_make_skb():ipv6_push_frag_opts() if opt->opt_flen is non-zero.net/ipv6/exthdrs.c:ipv6_push_frag_opts() / ipv6_push_exthdr():ipv6_optlen(opt->dst1opt) (based on theopt_flen is a 16-bit accumulator:include/net/ipv6.h:298 defines __u16 opt_flen; /* after fragment hdr */.ip6_datagram_send_ctl() accepts repeated IPV6_DSTOPTS cmsgsopt_flen each time:net/ipv6/datagram.c:909-933, for IPV6_DSTOPTS:len = ((hdr->hdrlen + 1) << 3);CAP_NET_RAW using ns_capable(net->user_ns,
CAP_NET_RAW). (line 922)opt->opt_flen += len; (line 927)opt->dst1opt = hdr; (line 928)There is no duplicate rejection here (unlike the legacy
IPV6_2292DSTOPTS path which rejects duplicates at
net/ipv6/datagram.c:901-904).
If enough large IPV6_DSTOPTS cmsgs are provided, opt_flen wraps
while dst1opt still points to a large (2048-byte)
destination-options header.
In the attached PoC (poc.c):
hdrlen=255 => len = (255+1)*8 = 2048hdrlen=0 => len = 832*2048 + 8 = 65544, so (__u16)opt_flen == 8dst1opt points to a 2048-byte header.opt_flen:net/ipv6/ip6_output.c:1463-1465:headersize = sizeof(struct ipv6hdr) + (opt ? opt->opt_flen +
opt->opt_nflen : 0) + ...;With wrapped opt_flen, headersize/headroom decisions underestimate
what will be pushed later.
dst1opt and is not limited by wrapped opt_flen:net/ipv6/ip6_output.c:1930-1934:if (opt->opt_flen) proto = ipv6_push_frag_opts(skb, opt, proto);net/ipv6/exthdrs.c:1206-1211, ipv6_push_frag_opts() pushesdst1opt via ipv6_push_exthdr().net/ipv6/exthdrs.c:1179-1184, ipv6_push_exthdr() does:skb_push(skb, ipv6_optlen(opt));memcpy(h, opt, ipv6_optlen(opt));With insufficient headroom, skb_push() underflows and triggers
skb_under_panic() -> BUG():
net/core/skbuff.c:2669-2675 (skb_push() calls skb_under_panic())net/core/skbuff.c:207-214 (skb_panic() ends in BUG())
The IPV6_DSTOPTS cmsg path requires CAP_NET_RAW in the target
netns user namespace (ns_capable(net->user_ns, CAP_NET_RAW)).
CAP_NET_RAW) can trigger this without userAn unprivileged uid=1000 user can trigger this if unprivileged
user namespaces are enabled and it can create a userns+netns to obtain
namespaced CAP_NET_RAW (the attached PoC does this).
Local denial of service: kernel BUG/panic (system crash).
-
---truncated---
| Score | Percentile |
|---|---|
| 0.11% | 1.74% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 5.5 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-2rf4-5672-vqwm ↗ |
| CVE | CVE-2026-31415 ↗ |
| CWE id | Name |
|---|---|
| CWE-617 | Reachable Assertion |