{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23003", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.939Z", "datePublished": "2026-01-25T14:36:17.491Z", "dateUpdated": "2026-05-11T21:58:07.465Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:58:07.465Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv()\n\nBlamed commit did not take care of VLAN encapsulations\nas spotted by syzbot [1].\n\nUse skb_vlan_inet_prepare() instead of pskb_inet_may_pull().\n\n[1]\n BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]\n BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]\n BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321\n __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]\n INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]\n IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321\n ip6ip6_dscp_ecn_decapsulate+0x16f/0x1b0 net/ipv6/ip6_tunnel.c:729\n __ip6_tnl_rcv+0xed9/0x1b50 net/ipv6/ip6_tunnel.c:860\n ip6_tnl_rcv+0xc3/0x100 net/ipv6/ip6_tunnel.c:903\n gre_rcv+0x1529/0x1b90 net/ipv6/ip6_gre.c:-1\n ip6_protocol_deliver_rcu+0x1c89/0x2c60 net/ipv6/ip6_input.c:438\n ip6_input_finish+0x1f4/0x4a0 net/ipv6/ip6_input.c:489\n NF_HOOK include/linux/netfilter.h:318 [inline]\n ip6_input+0x9c/0x330 net/ipv6/ip6_input.c:500\n ip6_mc_input+0x7ca/0xc10 net/ipv6/ip6_input.c:590\n dst_input include/net/dst.h:474 [inline]\n ip6_rcv_finish+0x958/0x990 net/ipv6/ip6_input.c:79\n NF_HOOK include/linux/netfilter.h:318 [inline]\n ipv6_rcv+0xf1/0x3c0 net/ipv6/ip6_input.c:311\n __netif_receive_skb_one_core net/core/dev.c:6139 [inline]\n __netif_receive_skb+0x1df/0xac0 net/core/dev.c:6252\n netif_receive_skb_internal net/core/dev.c:6338 [inline]\n netif_receive_skb+0x57/0x630 net/core/dev.c:6397\n tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485\n tun_get_user+0x5c0e/0x6c60 drivers/net/tun.c:1953\n tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0xbe2/0x15d0 fs/read_write.c:686\n ksys_write fs/read_write.c:738 [inline]\n __do_sys_write fs/read_write.c:749 [inline]\n __se_sys_write fs/read_write.c:746 [inline]\n __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746\n x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:4960 [inline]\n slab_alloc_node mm/slub.c:5263 [inline]\n kmem_cache_alloc_node_noprof+0x9e7/0x17a0 mm/slub.c:5315\n kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:586\n __alloc_skb+0x805/0x1040 net/core/skbuff.c:690\n alloc_skb include/linux/skbuff.h:1383 [inline]\n alloc_skb_with_frags+0xc5/0xa60 net/core/skbuff.c:6712\n sock_alloc_send_pskb+0xacc/0xc60 net/core/sock.c:2995\n tun_alloc_skb drivers/net/tun.c:1461 [inline]\n tun_get_user+0x1142/0x6c60 drivers/net/tun.c:1794\n tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0xbe2/0x15d0 fs/read_write.c:686\n ksys_write fs/read_write.c:738 [inline]\n __do_sys_write fs/read_write.c:749 [inline]\n __se_sys_write fs/read_write.c:746 [inline]\n __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746\n x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nCPU: 0 UID: 0 PID: 6465 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ipv6/ip6_tunnel.c"], "versions": [{"version": "a9bc32879a08f23cdb80a48c738017e39aea1080", "lessThan": "f9c5c5b791d3850570796f9e067629474e613796", "status": "affected", "versionType": "git"}, {"version": "af6b5c50d47ab43e5272ad61935d0ed2e264d3f0", "lessThan": "64c71d60a21a9ed0a802483dcd422b5b24eb1abe", "status": "affected", "versionType": "git"}, {"version": "d54e4da98bbfa8c257bdca94c49652d81d18a4d8", "lessThan": "9e1c8c2a33d0a7b1f637b5d0602fe56ed10166af", "status": "affected", "versionType": "git"}, {"version": "350a6640fac4b53564ec20aa3f4a0922cb0ba5e6", "lessThan": "2f03dafea0a8096a2eb60f551218b360e5bab9a3", "status": "affected", "versionType": "git"}, {"version": "8d975c15c0cd744000ca386247432d57b21f9df0", "lessThan": "df5ffde9669314500809bc498ae73d6d3d9519ac", "status": "affected", "versionType": "git"}, {"version": "8d975c15c0cd744000ca386247432d57b21f9df0", "lessThan": "b9f915340f25cae1562f18e1eb52deafca328414", "status": "affected", "versionType": "git"}, {"version": "8d975c15c0cd744000ca386247432d57b21f9df0", "lessThan": "81c734dae203757fb3c9eee6f9896386940776bd", "status": "affected", "versionType": "git"}, {"version": "c835df3bcc14858ae9b27315dd7de76370b94f3a", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ipv6/ip6_tunnel.c"], "versions": [{"version": "6.8", "status": "affected"}, {"version": "0", "lessThan": "6.8", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.249", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.199", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.162", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.122", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.67", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.7", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10.210", "versionEndExcluding": "5.10.249"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15.149", "versionEndExcluding": "5.15.199"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.77", "versionEndExcluding": "6.1.162"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.16", "versionEndExcluding": "6.6.122"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "6.12.67"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "6.18.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "6.19"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7.4"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/f9c5c5b791d3850570796f9e067629474e613796"}, {"url": "https://git.kernel.org/stable/c/64c71d60a21a9ed0a802483dcd422b5b24eb1abe"}, {"url": "https://git.kernel.org/stable/c/9e1c8c2a33d0a7b1f637b5d0602fe56ed10166af"}, {"url": "https://git.kernel.org/stable/c/2f03dafea0a8096a2eb60f551218b360e5bab9a3"}, {"url": "https://git.kernel.org/stable/c/df5ffde9669314500809bc498ae73d6d3d9519ac"}, {"url": "https://git.kernel.org/stable/c/b9f915340f25cae1562f18e1eb52deafca328414"}, {"url": "https://git.kernel.org/stable/c/81c734dae203757fb3c9eee6f9896386940776bd"}], "title": "ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "01ECBC49-7F90-4FF1-AEF6-B66648C8D6B6", "versionEndExcluding": "5.10.249", "versionStartIncluding": "5.10.210", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "95F52E1F-730C-4F25-A02F-08F23BFE0303", "versionEndExcluding": "5.15.199", "versionStartIncluding": "5.15.149", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8F20C0B3-3F3C-4673-8021-F76329E05DCB", "versionEndExcluding": "6.1.162", "versionStartIncluding": "6.1.77", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "15B2E42C-6BED-4530-832D-F28F44DDED3D", "versionEndExcluding": "6.6.122", "versionStartIncluding": "6.6.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "372F97C2-A80E-4F8A-9A04-3C21671C560F", "versionEndExcluding": "6.8", "versionStartIncluding": "6.7.4", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8D736713-9D1E-4935-A902-B3460D4423F6", "versionEndExcluding": "6.12.67", "versionStartIncluding": "6.8.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "99FF3E05-0E7A-44E9-8E47-BF6F1F8EC436", "versionEndExcluding": "6.18.7", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.8:-:*:*:*:*:*:*", "matchCriteriaId": "41E47F32-BA80-4333-96FD-4D25082B0FDD", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*", "matchCriteriaId": "F5DC0CA6-F0AF-4DDF-A882-3DADB9A886A7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*", "matchCriteriaId": "EB5B7DFC-C36B-45D8-922C-877569FDDF43", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv()\n\nBlamed commit did not take care of VLAN encapsulations\nas spotted by syzbot [1].\n\nUse skb_vlan_inet_prepare() instead of pskb_inet_may_pull().\n\n[1]\n BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]\n BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]\n BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321\n __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]\n INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]\n IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321\n ip6ip6_dscp_ecn_decapsulate+0x16f/0x1b0 net/ipv6/ip6_tunnel.c:729\n __ip6_tnl_rcv+0xed9/0x1b50 net/ipv6/ip6_tunnel.c:860\n ip6_tnl_rcv+0xc3/0x100 net/ipv6/ip6_tunnel.c:903\n gre_rcv+0x1529/0x1b90 net/ipv6/ip6_gre.c:-1\n ip6_protocol_deliver_rcu+0x1c89/0x2c60 net/ipv6/ip6_input.c:438\n ip6_input_finish+0x1f4/0x4a0 net/ipv6/ip6_input.c:489\n NF_HOOK include/linux/netfilter.h:318 [inline]\n ip6_input+0x9c/0x330 net/ipv6/ip6_input.c:500\n ip6_mc_input+0x7ca/0xc10 net/ipv6/ip6_input.c:590\n dst_input include/net/dst.h:474 [inline]\n ip6_rcv_finish+0x958/0x990 net/ipv6/ip6_input.c:79\n NF_HOOK include/linux/netfilter.h:318 [inline]\n ipv6_rcv+0xf1/0x3c0 net/ipv6/ip6_input.c:311\n __netif_receive_skb_one_core net/core/dev.c:6139 [inline]\n __netif_receive_skb+0x1df/0xac0 net/core/dev.c:6252\n netif_receive_skb_internal net/core/dev.c:6338 [inline]\n netif_receive_skb+0x57/0x630 net/core/dev.c:6397\n tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485\n tun_get_user+0x5c0e/0x6c60 drivers/net/tun.c:1953\n tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0xbe2/0x15d0 fs/read_write.c:686\n ksys_write fs/read_write.c:738 [inline]\n __do_sys_write fs/read_write.c:749 [inline]\n __se_sys_write fs/read_write.c:746 [inline]\n __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746\n x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:4960 [inline]\n slab_alloc_node mm/slub.c:5263 [inline]\n kmem_cache_alloc_node_noprof+0x9e7/0x17a0 mm/slub.c:5315\n kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:586\n __alloc_skb+0x805/0x1040 net/core/skbuff.c:690\n alloc_skb include/linux/skbuff.h:1383 [inline]\n alloc_skb_with_frags+0xc5/0xa60 net/core/skbuff.c:6712\n sock_alloc_send_pskb+0xacc/0xc60 net/core/sock.c:2995\n tun_alloc_skb drivers/net/tun.c:1461 [inline]\n tun_get_user+0x1142/0x6c60 drivers/net/tun.c:1794\n tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0xbe2/0x15d0 fs/read_write.c:686\n ksys_write fs/read_write.c:738 [inline]\n __do_sys_write fs/read_write.c:749 [inline]\n __se_sys_write fs/read_write.c:746 [inline]\n __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746\n x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nCPU: 0 UID: 0 PID: 6465 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025"}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nip6_tunnel: usar skb_vlan_inet_prepare() en __ip6_tnl_rcv()\n\nEl commit culpable no tuvo en cuenta las encapsulaciones VLAN como fue detectado por syzbot [1].\n\nUsar skb_vlan_inet_prepare() en lugar de pskb_inet_may_pull().\n\n[1]\n ERROR: KMSAN: valor no inicializado en __INET_ECN_decapsulate include/net/inet_ecn.h:253 [en l\u00ednea]\n ERROR: KMSAN: valor no inicializado en INET_ECN_decapsulate include/net/inet_ecn.h:275 [en l\u00ednea]\n ERROR: KMSAN: valor no inicializado en IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321\n __INET_ECN_decapsulate include/net/inet_ecn.h:253 [en l\u00ednea]\n INET_ECN_decapsulate include/net/inet_ecn.h:275 [en l\u00ednea]\n IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321\n ip6ip6_dscp_ecn_decapsulate+0x16f/0x1b0 net/ipv6/ip6_tunnel.c:729\n __ip6_tnl_rcv+0xed9/0x1b50 net/ipv6/ip6_tunnel.c:860\n ip6_tnl_rcv+0xc3/0x100 net/ipv6/ip6_tunnel.c:903\n gre_rcv+0x1529/0x1b90 net/ipv6/ip6_gre.c:-1\n ip6_protocol_deliver_rcu+0x1c89/0x2c60 net/ipv6/ip6_input.c:438\n ip6_input_finish+0x1f4/0x4a0 net/ipv6/ip6_input.c:489\n NF_HOOK include/linux/netfilter.h:318 [en l\u00ednea]\n ip6_input+0x9c/0x330 net/ipv6/ip6_input.c:500\n ip6_mc_input+0x7ca/0xc10 net/ipv6/ip6_input.c:590\n dst_input include/net/dst.h:474 [en l\u00ednea]\n ip6_rcv_finish+0x958/0x990 net/ipv6/ip6_input.c:79\n NF_HOOK include/linux/netfilter.h:318 [en l\u00ednea]\n ipv6_rcv+0xf1/0x3c0 net/ipv6/ip6_input.c:311\n __netif_receive_skb_one_core net/core/dev.c:6139 [en l\u00ednea]\n __netif_receive_skb+0x1df/0xac0 net/core/dev.c:6252\n netif_receive_skb_internal net/core/dev.c:6338 [en l\u00ednea]\n netif_receive_skb+0x57/0x630 net/core/dev.c:6397\n tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485\n tun_get_user+0x5c0e/0x6c60 drivers/net/tun.c:1953\n tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999\n new_sync_write fs/read_write.c:593 [en l\u00ednea]\n vfs_write+0xbe2/0x15d0 fs/read_write.c:686\n ksys_write fs/read_write.c:738 [en l\u00ednea]\n __do_sys_write fs/read_write.c:749 [en l\u00ednea]\n __se_sys_write fs/read_write.c:746 [en l\u00ednea]\n __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746\n x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [en l\u00ednea]\n do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nEl valor no inicializado fue creado en:\n slab_post_alloc_hook mm/slub.c:4960 [en l\u00ednea]\n slab_alloc_node mm/slub.c:5263 [en l\u00ednea]\n kmem_cache_alloc_node_noprof+0x9e7/0x17a0 mm/slub.c:5315\n kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:586\n __alloc_skb+0x805/0x1040 net/core/skbuff.c:690\n alloc_skb include/linux/skbuff.h:1383 [en l\u00ednea]\n alloc_skb_with_frags+0xc5/0xa60 net/core/skbuff.c:6712\n sock_alloc_send_pskb+0xacc/0xc60 net/core/sock.c:2995\n tun_alloc_skb drivers/net/tun.c:1461 [en l\u00ednea]\n tun_get_user+0x1142/0x6c60 drivers/net/tun.c:1794\n tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999\n new_sync_write fs/read_write.c:593 [en l\u00ednea]\n vfs_write+0xbe2/0x15d0 fs/read_write.c:686\n ksys_write fs/read_write.c:738 [en l\u00ednea]\n __do_sys_write fs/read_write.c:749 [en l\u00ednea]\n __se_sys_write fs/read_write.c:746 [en l\u00ednea]\n __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746\n x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [en l\u00ednea]\n do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nCPU: 0 UID: 0 PID: 6465 Comm: syz.0.17 No contaminado syzkaller #0 PREEMPT(none)\nNombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 25/10/2025"}], "id": "CVE-2026-23003", "lastModified": "2026-04-27T14:16:29.063", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-25T15:15:55.170", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/2f03dafea0a8096a2eb60f551218b360e5bab9a3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/64c71d60a21a9ed0a802483dcd422b5b24eb1abe"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/81c734dae203757fb3c9eee6f9896386940776bd"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9e1c8c2a33d0a7b1f637b5d0602fe56ed10166af"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b9f915340f25cae1562f18e1eb52deafca328414"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/df5ffde9669314500809bc498ae73d6d3d9519ac"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f9c5c5b791d3850570796f9e067629474e613796"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-908"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv()", "id": "2432681", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2432681"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv()\nBlamed commit did not take care of VLAN encapsulations\nas spotted by syzbot [1].\nUse skb_vlan_inet_prepare() instead of pskb_inet_may_pull().\n[1]\nBUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]\nBUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]\nBUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321\n__INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]\nINET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]\nIP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321\nip6ip6_dscp_ecn_decapsulate+0x16f/0x1b0 net/ipv6/ip6_tunnel.c:729\n__ip6_tnl_rcv+0xed9/0x1b50 net/ipv6/ip6_tunnel.c:860\nip6_tnl_rcv+0xc3/0x100 net/ipv6/ip6_tunnel.c:903\ngre_rcv+0x1529/0x1b90 net/ipv6/ip6_gre.c:-1\nip6_protocol_deliver_rcu+0x1c89/0x2c60 net/ipv6/ip6_input.c:438\nip6_input_finish+0x1f4/0x4a0 net/ipv6/ip6_input.c:489\nNF_HOOK include/linux/netfilter.h:318 [inline]\nip6_input+0x9c/0x330 net/ipv6/ip6_input.c:500\nip6_mc_input+0x7ca/0xc10 net/ipv6/ip6_input.c:590\ndst_input include/net/dst.h:474 [inline]\nip6_rcv_finish+0x958/0x990 net/ipv6/ip6_input.c:79\nNF_HOOK include/linux/netfilter.h:318 [inline]\nipv6_rcv+0xf1/0x3c0 net/ipv6/ip6_input.c:311\n__netif_receive_skb_one_core net/core/dev.c:6139 [inline]\n__netif_receive_skb+0x1df/0xac0 net/core/dev.c:6252\nnetif_receive_skb_internal net/core/dev.c:6338 [inline]\nnetif_receive_skb+0x57/0x630 net/core/dev.c:6397\ntun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485\ntun_get_user+0x5c0e/0x6c60 drivers/net/tun.c:1953\ntun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999\nnew_sync_write fs/read_write.c:593 [inline]\nvfs_write+0xbe2/0x15d0 fs/read_write.c:686\nksys_write fs/read_write.c:738 [inline]\n__do_sys_write fs/read_write.c:749 [inline]\n__se_sys_write fs/read_write.c:746 [inline]\n__x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746\nx64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2\ndo_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\ndo_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\nUninit was created at:\nslab_post_alloc_hook mm/slub.c:4960 [inline]\nslab_alloc_node mm/slub.c:5263 [inline]\nkmem_cache_alloc_node_noprof+0x9e7/0x17a0 mm/slub.c:5315\nkmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:586\n__alloc_skb+0x805/0x1040 net/core/skbuff.c:690\nalloc_skb include/linux/skbuff.h:1383 [inline]\nalloc_skb_with_frags+0xc5/0xa60 net/core/skbuff.c:6712\nsock_alloc_send_pskb+0xacc/0xc60 net/core/sock.c:2995\ntun_alloc_skb drivers/net/tun.c:1461 [inline]\ntun_get_user+0x1142/0x6c60 drivers/net/tun.c:1794\ntun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999\nnew_sync_write fs/read_write.c:593 [inline]\nvfs_write+0xbe2/0x15d0 fs/read_write.c:686\nksys_write fs/read_write.c:738 [inline]\n__do_sys_write fs/read_write.c:749 [inline]\n__se_sys_write fs/read_write.c:746 [inline]\n__x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746\nx64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2\ndo_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\ndo_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\nCPU: 0 UID: 0 PID: 6465 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025"], "name": "CVE-2026-23003", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-01-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23003\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23003\nhttps://lore.kernel.org/linux-cve-announce/2026012535-CVE-2026-23003-e684@gregkh/T"], "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-28T22:27:18.987371+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to a version that includes the skb_vlan_inet_prepare patch for __ip6_tnl_rcv (e.g., the latest 6.19 or newer release that contains the fixed commit).", "Disable IPv6 tunneling or VLAN encapsulation on network interfaces that do not require them to reduce the attack surface.", "If an immediate kernel upgrade is not possible, apply a backported patch or revert the commit that introduced the uninitialized read, effectively restoring the original skb handling logic for the tunnel path."], "summary": {"action": "Patch Kernel", "impact": "Kernel crash via uninitialized data in IPv6 tunnel handling"}, "threat_synthesis": {"affected_systems": "Affected are Linux systems running kernel 6.8 and the 6.19 release\u2011candidate series (RC1 through RC8). The vulnerability resides in the __ip6_tnl_rcv() path that handles inbound IPv6 tunnel traffic. Installing a kernel version that incorporates the commit replacing the pull routine with skb_vlan_inet_prepare() resolves the issue.", "description_and_impact": "The flaw exists in the Linux kernel's IPv6 tunnel code, where an uninitialized value is read during the decapsulation of IPv6 packets. This occurs because the routine that prepares the packet for decapsulation fails to account for VLAN encapsulation, leading to the use of skb_vlan_inet_prepare() instead of pskb_inet_may_pull(). The result is potential corruption of kernel memory or an immediate crash, which would manifest as a denial of service on the host that processes the malformed packets. Based on the description, it is inferred that the uninitialized value leads to kernel panic during packet processing, causing a loss of availability.", "risk_and_exploitability": "The CVSS score of 7.5 denotes high impact, while the EPSS score of less than 1% indicates a low probability of exploitation at the time of reporting. The vulnerability is not listed in the CISA KEV catalog. An attacker would need to send specially crafted IPv6 packets containing VLAN tags to a target system capable of processing tunnel traffic. If successful, the flaw can cause a kernel panic, leading to a denial of service. No other attack vectors or preconditions are documented in the supplied data. Based on the description, the likely attack vector is the transmission of specially crafted IPv6 packets that embed VLAN tags to a host that handles IPv6 tunnels, which does not require admin rights on the target."}}}}, "created": "2026-04-18T03:00:10.328254+00:00", "updated": "2026-04-28T22:30:41.636103+00:00", "vendors": []}