CVE-2026-43341

/* * Conceptual PoC for CVE-2026-43341 Integer Wraparound Logic * This code demonstrates the logic flaw that causes the wraparound. * Actual exploitation requires crafting specific IPv6 packets. */ #include <stdio.h> #include <stdint.h> void simulate_vulnerable_logic(uint32_t payload_size) { // Vulnerable code uses u8 for schema length uint8_t sclen_vulnerable; // Fixed code uses unsigned int unsigned int sclen_fixed; // Simulate calculation: 1 + payload / 4 // Assuming payload_size triggers the large schema path uint32_t calculated_len = 1 + (payload_size / 4); printf("Calculated Length: %u\n", calculated_len); // Vulnerable path: cast to u8 causes wraparound sclen_vulnerable = (uint8_t)calculated_len; printf("Vulnerable u8 length: %d (Wraps if > 255)\n", sclen_vulnerable); // Fixed path sclen_fixed = calculated_len; printf("Fixed unsigned int length: %u\n", sclen_fixed); if (sclen_vulnerable == 0 && calculated_len > 0) { printf("[!] Vulnerability Triggered: Length wrapped to 0, bypassing bounds check!\n"); } } int main() { // Example payload size that triggers the issue (e.g., 1020 bytes) // 1 + 1020/4 = 256, which wraps to 0 in u8 simulate_vulnerable_logic(1020); return 0; }

{"cve": {"id": "CVE-2026-43341", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-08T14:16:44.050", "lastModified": "2026-05-11T08:16:10.430", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/ipv6: ioam6: prevent schema length wraparound in trace fill\n\nioam6_fill_trace_data() stores the schema contribution to the trace\nlength in a u8. With bit 22 enabled and the largest schema payload,\nsclen becomes 1 + 1020 / 4, wraps from 256 to 0, and bypasses the\nremaining-space check. __ioam6_fill_trace_data() then positions the\nwrite cursor without reserving the schema area but still copies the\n4-byte schema header and the full schema payload, overrunning the trace\nbuffer.\n\nKeep sclen in an unsigned int so the remaining-space check and the write\ncursor calculation both see the full schema length."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "references": [{"url": "https://git.kernel.org/stable/c/184d2e9db27c0f76226b5cad16fe29510a5d2280", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5e67ba9bb531e1ec6599a82a065dea9040b9ce50", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/77695a69baca9b99d95fad09fc78c2318736604f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d1b041080086e91d3733a5438a8c51ad5d3d8e09", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d6e1c9b02d85a4f1f4ba6d68e916d9b610a3ed7d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e96d48b37708d53cbdc47f6f60b0714fc4a5f596", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}