CVE-2026-46037 Linux CVE debrief

Who should care

Linux system administrators, kernel maintainers, cloud infrastructure operators, and security teams responsible for network-facing Linux systems

Technical summary

The Linux kernel's icmp_reply() function in net/ipv4/icmp.c did not validate that ICMP reply types were within the bounds of the icmp_pointers[] array before performing lookups. Extended echo replies (ICMP_EXT_ECHOREPLY, type 43) fall outside the traditional ICMP type range (NR_ICMP_TYPES = 18), leading to out-of-bounds array access. The resolution adds explicit bounds checking to skip icmp_pointers[] consultation for out-of-range reply types, and applies array_index_nospec() to remaining in-range accesses as a Spectre-v1 mitigation. Normal ICMP replies are unaffected by this change.

Defensive priority

high

Recommended defensive actions

• Apply kernel updates from your Linux distribution that include the referenced stable kernel commits
• Verify kernel version is updated to a patched release (check with uname -r)
• For systems where immediate patching is not possible, consider network-level filtering of ICMP extended echo requests (type 42) and replies (type 43) if this functionality is not required
• Monitor for kernel security advisories from your distribution vendor

Evidence notes

The vulnerability description indicates that ICMP_EXT_ECHOREPLY (type 43) exceeds NR_ICMP_TYPES (18), causing out-of-bounds access to icmp_pointers[]. The fix adds bounds checking before array access and employs array_index_nospec() as a defense-in-depth measure against speculative execution vulnerabilities. Multiple stable kernel commits are referenced, indicating backports to supported kernel versions.

Official resources