APPLIED: [SRU][N][PATCH 0/1] CVE-2026-43083

Stefan Bader stefan.bader at canonical.com
Tue Jul 14 14:49:20 UTC 2026


On 24/06/2026 10:32, Cengiz Can via kernel-team wrote:
> https://ubuntu.com/security/CVE-2026-43083
> 
> [ Impact ]
> 
> The IOAM6 implementation in the IPv6 stack has an out-of-bounds access in
> __ioam6_fill_trace_data() when trace->type.bit6 is set. On the RX path
> (is_input true), skb->queue_mapping holds the ingress device's RX queue index;
> if the ingress device has more RX queues than the egress device has TX queues,
> skb_get_tx_queue() can index past the dev->_tx[] array because the index is not
> clamped. The same code path also accessed qdisc_qstats_qlen_backlog() without
> the required lock, despite being callable from both softirq and process
> contexts, leading to potential data races.
> 
> [ Fix ]
> 
> noble: backported with AI-assisted adaptation
> 
> [ Test Plan ]
> 
> Boot tested.
> 
> [ Where Problems Could Occur ]
> 
> A regression in this change could affect IPv6 IOAM6 trace data collection,
> causing incorrect queue statistics or, if the bounds check is wrong, continued
> out-of-bounds access in the network TX queue handling. Any locking error around
> qdisc_qstats_qlen_backlog() could introduce deadlocks or stalls in the netdev
> qdisc path.
> 

Applied to noble:linux/master-next. Thanks.

-Stefan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 52669 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260714/2672b081/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260714/2672b081/attachment-0001.sig>


More information about the kernel-team mailing list