PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43501 Linux CVE debrief

CVE-2026-43501 is a Linux kernel IPv6 vulnerability in RPL Source Routing Header processing. When ipv6_rpl_srh_rcv() decompresses, swaps the next segment, recompresses, and pushes the rebuilt headers back, the new header can require more space than the received one. If the remaining headroom is smaller than the push size plus skb->mac_len, the MAC header rebuild path can write past skb->head, leading to kernel memory corruption. The supplied CVE text reports KASAN observed an out-of-bounds write in ipv6_rthdr_rcv.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-21
Original CVE updated
2026-05-21
Advisory published
2026-05-21
Advisory updated
2026-05-21

Who should care

Linux kernel maintainers, distro security teams, and operators of systems that enable IPv6 raw socket traffic or process IPv6 Routing Headers should prioritize this issue. It is especially relevant for environments that may accept untrusted local workloads or containerized code.

Technical summary

The bug is in IPv6 RPL SRH receive handling. After decompression and segment swapping, the recompressed SRH may be larger than the original because common-prefix compression changes. The existing pskb_expand_head() check was only performed when segments_left == 0, so earlier segments could proceed with insufficient headroom. If skb_push() leaves less than skb->mac_len bytes before skb->data, skb_set_mac_header(skb, -skb->mac_len) can wrap the u16 mac_header field, and the subsequent memmove() in skb_mac_header_rebuild() can copy mac_len bytes far beyond the skb buffer. The supplied fix expands the head whenever remaining room is less than the push size plus mac_len.

Defensive priority

High. The issue is a kernel memory corruption bug in packet processing, which can crash affected systems and may have security impact beyond denial of service. The exact attack surface and preconditions should be validated in your environment, but kernel fixes should be treated as urgent.

Recommended defensive actions

  • Apply the Linux kernel stable fixes linked in the advisory to affected branches and backport them through your distro process.
  • Prioritize patching systems that enable IPv6 raw sockets, SRH/RPL features, or process untrusted local workloads.
  • Watch for crashes, WARNs, or KASAN reports in ipv6_rthdr_rcv(), skb_mac_header_rebuild(), or related IPv6 header handling paths.
  • Validate that your kernel build includes the headroom fix before treating the system as remediated.

Evidence notes

The CVE description states that recompressed SRHs can exceed the received header size, that pskb_expand_head() was gated on segments_left == 0, and that insufficient headroom can make skb_set_mac_header() wrap and cause a memmove() write past skb->head. NVD lists five kernel.org stable references alongside the record, all timestamped with the same CVE publication time on 2026-05-21.

Official resources

Publicly disclosed in the CVE/NVD record on 2026-05-21T13:16:19.410Z. The NVD entry lists kernel.org stable references, indicating the issue is tracked through Linux kernel fixes and backports.