CVE-2026-53228 (GCVE-0-2026-53228)

Vulnerability from cvelistv5 – Published: 2026-06-25 08:39 – Updated: 2026-06-28 06:40
VLAI
Title
ipv6: sit: reload inner IPv6 header after GSO offloads
Summary
In the Linux kernel, the following vulnerability has been resolved: ipv6: sit: reload inner IPv6 header after GSO offloads ipip6_tunnel_xmit() caches the inner IPv6 header pointer at function entry and continues using it after iptunnel_handle_offloads(). For GSO skbs, iptunnel_handle_offloads() calls skb_header_unclone(). When the skb header is cloned, skb_header_unclone() can call pskb_expand_head(), which may move the skb head. The pskb_expand_head() contract requires pointers into the skb header to be reloaded after the call. If the later skb_realloc_headroom() branch is not taken, SIT uses the stale iph6 pointer to read the inner hop limit and DS field. That can read from a freed skb head after the old head's remaining clone is released. Reload iph6 after the offload helper succeeds and before subsequent reads from the inner IPv6 header. Keep the existing reload after skb_realloc_headroom(), since that branch can also replace the skb.
Assigner
Impacted products
Vendor Product Version
Linux Linux Affected: 14909664e4e192f4c6f6fcdccd9919af7cf783ab , < fddd41445a0537b093e6b3f6232c9933cad1e48b (git)
Affected: 14909664e4e192f4c6f6fcdccd9919af7cf783ab , < 1132e5edc2866c3530be17622153a597095f0e43 (git)
Affected: 14909664e4e192f4c6f6fcdccd9919af7cf783ab , < 9c67b44edb3598d234efae6e44649eb993c03da5 (git)
Affected: 14909664e4e192f4c6f6fcdccd9919af7cf783ab , < 0bfa7bba1f41aaf5f0604dc712bb4701493e3aa0 (git)
Affected: 14909664e4e192f4c6f6fcdccd9919af7cf783ab , < 59f80c919713250fe5d25a4d9aea4e49580fa1d4 (git)
Affected: 14909664e4e192f4c6f6fcdccd9919af7cf783ab , < 2fa49b2715e1bad12ce3b0fa64e234d9582c8193 (git)
Affected: 14909664e4e192f4c6f6fcdccd9919af7cf783ab , < cb658c2f5f7977c2a1c77c9f239f4bc8196edb5c (git)
Affected: 14909664e4e192f4c6f6fcdccd9919af7cf783ab , < f0e42f0c4337b1f220de1ddd63f47197c7dee4de (git)
Create a notification for this product.
Linux Linux Affected: 3.18
Unaffected: 0 , < 3.18 (semver)
Unaffected: 5.10.259 , ≤ 5.10.* (semver)
Unaffected: 5.15.210 , ≤ 5.15.* (semver)
Unaffected: 6.1.176 , ≤ 6.1.* (semver)
Unaffected: 6.6.143 , ≤ 6.6.* (semver)
Unaffected: 6.12.94 , ≤ 6.12.* (semver)
Unaffected: 6.18.36 , ≤ 6.18.* (semver)
Unaffected: 7.0.13 , ≤ 7.0.* (semver)
Unaffected: 7.1 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/sit.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "fddd41445a0537b093e6b3f6232c9933cad1e48b",
              "status": "affected",
              "version": "14909664e4e192f4c6f6fcdccd9919af7cf783ab",
              "versionType": "git"
            },
            {
              "lessThan": "1132e5edc2866c3530be17622153a597095f0e43",
              "status": "affected",
              "version": "14909664e4e192f4c6f6fcdccd9919af7cf783ab",
              "versionType": "git"
            },
            {
              "lessThan": "9c67b44edb3598d234efae6e44649eb993c03da5",
              "status": "affected",
              "version": "14909664e4e192f4c6f6fcdccd9919af7cf783ab",
              "versionType": "git"
            },
            {
              "lessThan": "0bfa7bba1f41aaf5f0604dc712bb4701493e3aa0",
              "status": "affected",
              "version": "14909664e4e192f4c6f6fcdccd9919af7cf783ab",
              "versionType": "git"
            },
            {
              "lessThan": "59f80c919713250fe5d25a4d9aea4e49580fa1d4",
              "status": "affected",
              "version": "14909664e4e192f4c6f6fcdccd9919af7cf783ab",
              "versionType": "git"
            },
            {
              "lessThan": "2fa49b2715e1bad12ce3b0fa64e234d9582c8193",
              "status": "affected",
              "version": "14909664e4e192f4c6f6fcdccd9919af7cf783ab",
              "versionType": "git"
            },
            {
              "lessThan": "cb658c2f5f7977c2a1c77c9f239f4bc8196edb5c",
              "status": "affected",
              "version": "14909664e4e192f4c6f6fcdccd9919af7cf783ab",
              "versionType": "git"
            },
            {
              "lessThan": "f0e42f0c4337b1f220de1ddd63f47197c7dee4de",
              "status": "affected",
              "version": "14909664e4e192f4c6f6fcdccd9919af7cf783ab",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/sit.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.18"
            },
            {
              "lessThan": "3.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.259",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.210",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.176",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.143",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.36",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.259",
                  "versionStartIncluding": "3.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.210",
                  "versionStartIncluding": "3.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.176",
                  "versionStartIncluding": "3.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.143",
                  "versionStartIncluding": "3.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.94",
                  "versionStartIncluding": "3.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.36",
                  "versionStartIncluding": "3.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.13",
                  "versionStartIncluding": "3.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "3.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: sit: reload inner IPv6 header after GSO offloads\n\nipip6_tunnel_xmit() caches the inner IPv6 header pointer at function\nentry and continues using it after iptunnel_handle_offloads().\n\nFor GSO skbs, iptunnel_handle_offloads() calls skb_header_unclone().\nWhen the skb header is cloned, skb_header_unclone() can call\npskb_expand_head(), which may move the skb head. The pskb_expand_head()\ncontract requires pointers into the skb header to be reloaded after the\ncall.\n\nIf the later skb_realloc_headroom() branch is not taken, SIT uses the\nstale iph6 pointer to read the inner hop limit and DS field. That can\nread from a freed skb head after the old head\u0027s remaining clone is\nreleased.\n\nReload iph6 after the offload helper succeeds and before subsequent\nreads from the inner IPv6 header. Keep the existing reload after\nskb_realloc_headroom(), since that branch can also replace the skb."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-28T06:40:38.747Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/fddd41445a0537b093e6b3f6232c9933cad1e48b"
        },
        {
          "url": "https://git.kernel.org/stable/c/1132e5edc2866c3530be17622153a597095f0e43"
        },
        {
          "url": "https://git.kernel.org/stable/c/9c67b44edb3598d234efae6e44649eb993c03da5"
        },
        {
          "url": "https://git.kernel.org/stable/c/0bfa7bba1f41aaf5f0604dc712bb4701493e3aa0"
        },
        {
          "url": "https://git.kernel.org/stable/c/59f80c919713250fe5d25a4d9aea4e49580fa1d4"
        },
        {
          "url": "https://git.kernel.org/stable/c/2fa49b2715e1bad12ce3b0fa64e234d9582c8193"
        },
        {
          "url": "https://git.kernel.org/stable/c/cb658c2f5f7977c2a1c77c9f239f4bc8196edb5c"
        },
        {
          "url": "https://git.kernel.org/stable/c/f0e42f0c4337b1f220de1ddd63f47197c7dee4de"
        }
      ],
      "title": "ipv6: sit: reload inner IPv6 header after GSO offloads",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-53228",
    "datePublished": "2026-06-25T08:39:27.893Z",
    "dateReserved": "2026-06-09T07:44:35.393Z",
    "dateUpdated": "2026-06-28T06:40:38.747Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-53228",
      "date": "2026-07-01",
      "epss": "0.00559",
      "percentile": "0.42369"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-53228\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-06-25T09:16:40.657\",\"lastModified\":\"2026-06-30T14:44:27.313\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nipv6: sit: reload inner IPv6 header after GSO offloads\\n\\nipip6_tunnel_xmit() caches the inner IPv6 header pointer at function\\nentry and continues using it after iptunnel_handle_offloads().\\n\\nFor GSO skbs, iptunnel_handle_offloads() calls skb_header_unclone().\\nWhen the skb header is cloned, skb_header_unclone() can call\\npskb_expand_head(), which may move the skb head. The pskb_expand_head()\\ncontract requires pointers into the skb header to be reloaded after the\\ncall.\\n\\nIf the later skb_realloc_headroom() branch is not taken, SIT uses the\\nstale iph6 pointer to read the inner hop limit and DS field. That can\\nread from a freed skb head after the old head\u0027s remaining clone is\\nreleased.\\n\\nReload iph6 after the offload helper succeeds and before subsequent\\nreads from the inner IPv6 header. Keep the existing reload after\\nskb_realloc_headroom(), since that branch can also replace the skb.\"}],\"affected\":[{\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"affectedData\":[{\"vendor\":\"Linux\",\"product\":\"Linux\",\"defaultStatus\":\"unaffected\",\"programFiles\":[\"net/ipv6/sit.c\"],\"repo\":\"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\",\"versions\":[{\"version\":\"14909664e4e192f4c6f6fcdccd9919af7cf783ab\",\"lessThan\":\"fddd41445a0537b093e6b3f6232c9933cad1e48b\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"14909664e4e192f4c6f6fcdccd9919af7cf783ab\",\"lessThan\":\"1132e5edc2866c3530be17622153a597095f0e43\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"14909664e4e192f4c6f6fcdccd9919af7cf783ab\",\"lessThan\":\"9c67b44edb3598d234efae6e44649eb993c03da5\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"14909664e4e192f4c6f6fcdccd9919af7cf783ab\",\"lessThan\":\"0bfa7bba1f41aaf5f0604dc712bb4701493e3aa0\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"14909664e4e192f4c6f6fcdccd9919af7cf783ab\",\"lessThan\":\"59f80c919713250fe5d25a4d9aea4e49580fa1d4\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"14909664e4e192f4c6f6fcdccd9919af7cf783ab\",\"lessThan\":\"2fa49b2715e1bad12ce3b0fa64e234d9582c8193\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"14909664e4e192f4c6f6fcdccd9919af7cf783ab\",\"lessThan\":\"cb658c2f5f7977c2a1c77c9f239f4bc8196edb5c\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"14909664e4e192f4c6f6fcdccd9919af7cf783ab\",\"lessThan\":\"f0e42f0c4337b1f220de1ddd63f47197c7dee4de\",\"versionType\":\"git\",\"status\":\"affected\"}]},{\"vendor\":\"Linux\",\"product\":\"Linux\",\"defaultStatus\":\"affected\",\"programFiles\":[\"net/ipv6/sit.c\"],\"repo\":\"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\",\"versions\":[{\"version\":\"3.18\",\"status\":\"affected\"},{\"version\":\"0\",\"lessThan\":\"3.18\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"5.10.259\",\"lessThanOrEqual\":\"5.10.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"5.15.210\",\"lessThanOrEqual\":\"5.15.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.1.176\",\"lessThanOrEqual\":\"6.1.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.6.143\",\"lessThanOrEqual\":\"6.6.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.12.94\",\"lessThanOrEqual\":\"6.12.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.18.36\",\"lessThanOrEqual\":\"6.18.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"7.0.13\",\"lessThanOrEqual\":\"7.0.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"7.1\",\"lessThanOrEqual\":\"*\",\"versionType\":\"original_commit_for_fix\",\"status\":\"unaffected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0bfa7bba1f41aaf5f0604dc712bb4701493e3aa0\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/1132e5edc2866c3530be17622153a597095f0e43\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/2fa49b2715e1bad12ce3b0fa64e234d9582c8193\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/59f80c919713250fe5d25a4d9aea4e49580fa1d4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9c67b44edb3598d234efae6e44649eb993c03da5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/cb658c2f5f7977c2a1c77c9f239f4bc8196edb5c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f0e42f0c4337b1f220de1ddd63f47197c7dee4de\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/fddd41445a0537b093e6b3f6232c9933cad1e48b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…