PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43341 Git CVE debrief

CVE-2026-43341 is a Linux kernel vulnerability in net/ipv6 ioam6 trace filling where a schema-length value could wrap around and defeat a remaining-space check. The resulting cursor miscalculation could allow writes past the trace buffer, and the upstream fix keeps the length in a wider integer type so the size checks and cursor math use the full value.

Vendor
Git
Product
Unknown
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-05-11
Advisory published
2026-05-08
Advisory updated
2026-05-11

Who should care

Kernel maintainers, Linux platform teams, and operators running systems with IPv6 IOAM6 enabled should prioritize this issue. It is especially relevant anywhere kernel memory corruption would have high operational impact, because the CVSS vector indicates network reachability with no privileges or user interaction required.

Technical summary

The source description says ioam6_fill_trace_data() stored the schema contribution to the trace length in a u8. With bit 22 enabled and the largest schema payload, the computed schema length could wrap from 256 to 0. That wrap allowed the remaining-space check to pass incorrectly, after which __ioam6_fill_trace_data() positioned the write cursor without reserving the schema area but still copied the 4-byte schema header and the full schema payload. The fix is to keep sclen as an unsigned int so the length check and cursor calculation see the true size.

Defensive priority

Critical. The issue is rated CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), and the bug class is memory corruption in kernel code. Treat patching as urgent for any environment that may expose or use the affected IPv6 IOAM6 path.

Recommended defensive actions

  • Apply the kernel update that includes the linked ioam6 length-wraparound fix.
  • Review whether IPv6 IOAM6 tracing is enabled in production kernels and disable it where it is not required until systems are patched.
  • Prioritize remediation on internet-facing or high-value Linux systems, because the CVSS vector indicates remote, unauthenticated impact.
  • Validate kernel versions against the upstream/stable fixes referenced by the official kernel.org commits.
  • Monitor affected fleets for unexpected kernel crashes or memory-corruption symptoms while patching is rolled out.

Evidence notes

This debrief is based on the supplied CVE description and official NVD/CVE references only. The corpus explicitly states that ioam6_fill_trace_data() used a u8 for schema length, that a wraparound could bypass the remaining-space check, and that the fix changes sclen to unsigned int. The source corpus does not provide affected version ranges or exploit activity, so those details are intentionally not asserted here.

Official resources

CVE publishedAt: 2026-05-08T14:16:44.050Z; CVE modifiedAt: 2026-05-11T08:16:10.430Z. These dates are used as the issue timing context.