Description

In the Linux kernel, the following vulnerability has been resolved: ipv6: sit: reload inner IPv6 header after GSO offloads ipip6_tunnel_xmit() caches the inner IPv6 header pointer at function entry and continues using it after iptunnel_handle_offloads(). For GSO skbs, iptunnel_handle_offloads() calls skb_header_unclone(). When the skb header is cloned, skb_header_unclone() can call pskb_expand_head(), which may move the skb head. The pskb_expand_head() contract requires pointers into the skb header to be reloaded after the call. If the later skb_realloc_headroom() branch is not taken, SIT uses the stale iph6 pointer to read the inner hop limit and DS field. That can read from a freed skb head after the old head's remaining clone is released. Reload iph6 after the offload helper succeeds and before subsequent reads from the inner IPv6 header. Keep the existing reload after skb_realloc_headroom(), since that branch can also replace the skb.

Affected products

VendorProductVersions
LinuxLinux14909664e4e192f4c6f6fcdccd9919af7cf783ab to <fddd41445a0537b093e6b3f6232c9933cad1e48b; 14909664e4e192f4c6f6fcdccd9919af7cf783ab to <1132e5edc2866c3530be17622153a597095f0e43; 14909664e4e192f4c6f6fcdccd9919af7cf783ab to <9c67b44edb3598d234efae6e44649eb993c03da5; 14909664e4e192f4c6f6fcdccd9919af7cf783ab to <0bfa7bba1f41aaf5f0604dc712bb4701493e3aa0; 14909664e4e192f4c6f6fcdccd9919af7cf783ab to <59f80c919713250fe5d25a4d9aea4e49580fa1d4; 14909664e4e192f4c6f6fcdccd9919af7cf783ab to <2fa49b2715e1bad12ce3b0fa64e234d9582c8193; 14909664e4e192f4c6f6fcdccd9919af7cf783ab to <cb658c2f5f7977c2a1c77c9f239f4bc8196edb5c; 14909664e4e192f4c6f6fcdccd9919af7cf783ab to <f0e42f0c4337b1f220de1ddd63f47197c7dee4de
LinuxLinux3.18; 0 to <3.18; 5.10.259 to <=5.10.*; 5.15.210 to <=5.15.*; 6.1.176 to <=6.1.*; 6.6.143 to <=6.6.*; 6.12.94 to <=6.12.*; 6.18.36 to <=6.18.*; 7.0.13 to <=7.0.*; 7.1 to <=*

References

Authoritative sources

This page is a snapshot. For the latest enrichment and updates, view the record on CVE.org or the NVD.

Generated from the official CVE List on 25 Jun 2026 10:14 UTC.