Integer Overflow or Wraparound Affecting kernel package, versions *
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Integer Overflow or Wraparound vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-CENTOS6-KERNEL-16077010
- published16 Apr 2026
- disclosed13 Apr 2026
Introduced: 13 Apr 2026
NewCVE-2026-31415 (opens in a new tab)How to fix?
There is no fixed version for Centos:6 kernel.
NVD Description
Note: Versions mentioned in the description apply only to the upstream kernel package and not the kernel package as distributed by Centos.
See How to fix? for Centos:6 relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
ipv6: avoid overflows in ip6_datagram_send_ctl()
Yiming Qian reported :
<quote>
I believe I found a locally triggerable kernel bug in the IPv6 sendmsg
ancillary-data path that can panic the kernel via skb_under_panic()
(local DoS).
The core issue is a mismatch between:
- a 16-bit length accumulator (
struct ipv6_txoptions::opt_flen, type__u16) and - a pointer to the last provided destination-options header (
opt->dst1opt)
when multiple IPV6_DSTOPTS control messages (cmsgs) are provided.
include/net/ipv6.h:struct ipv6_txoptions::opt_flenis__u16(wrap possible). (lines 291-307, especially 298)
net/ipv6/datagram.c:ip6_datagram_send_ctl():- Accepts repeated
IPV6_DSTOPTSand accumulates intoopt_flenwithout rejecting duplicates. (lines 909-933)
- Accepts repeated
net/ipv6/ip6_output.c:__ip6_append_data():- Uses
opt->opt_flen + opt->opt_nflento compute header sizes/headroom decisions. (lines 1448-1466, especially 1463-1465)
- Uses
net/ipv6/ip6_output.c:__ip6_make_skb():- Calls
ipv6_push_frag_opts()ifopt->opt_flenis non-zero. (lines 1930-1934)
- Calls
net/ipv6/exthdrs.c:ipv6_push_frag_opts()/ipv6_push_exthdr():- Push size comes from
ipv6_optlen(opt->dst1opt)(based on the pointed-to header). (lines 1179-1185 and 1206-1211)
- Push size comes from
opt_flenis a 16-bit accumulator:
include/net/ipv6.h:298defines__u16 opt_flen; /* after fragment hdr */.
ip6_datagram_send_ctl()accepts repeatedIPV6_DSTOPTScmsgs and incrementsopt_fleneach time:
- In
net/ipv6/datagram.c:909-933, forIPV6_DSTOPTS:- It computes
len = ((hdr->hdrlen + 1) << 3); - It checks
CAP_NET_RAWusingns_capable(net->user_ns, CAP_NET_RAW). (line 922) - Then it does:
opt->opt_flen += len;(line 927)opt->dst1opt = hdr;(line 928)
- It computes
There is no duplicate rejection here (unlike the legacy
IPV6_2292DSTOPTS path which rejects duplicates at
net/ipv6/datagram.c:901-904).
If enough large IPV6_DSTOPTS cmsgs are provided, opt_flen wraps
while dst1opt still points to a large (2048-byte)
destination-options header.
In the attached PoC (poc.c):
- 32 cmsgs with
hdrlen=255=>len = (255+1)*8 = 2048 - 1 cmsg with
hdrlen=0=>len = 8 - Total increment:
32*2048 + 8 = 65544, so(__u16)opt_flen == 8 - The last cmsg is 2048 bytes, so
dst1optpoints to a 2048-byte header.
- The transmit path sizes headers using the wrapped
opt_flen:
- In
net/ipv6/ip6_output.c:1463-1465:headersize = sizeof(struct ipv6hdr) + (opt ? opt->opt_flen + opt->opt_nflen : 0) + ...;
With wrapped opt_flen, headersize/headroom decisions underestimate
what will be pushed later.
- When building the final skb, the actual push length comes from
dst1optand is not limited by wrappedopt_flen:
- In
net/ipv6/ip6_output.c:1930-1934:if (opt->opt_flen) proto = ipv6_push_frag_opts(skb, opt, proto);
- In
net/ipv6/exthdrs.c:1206-1211,ipv6_push_frag_opts()pushesdst1optviaipv6_push_exthdr(). - In
net/ipv6/exthdrs.c:1179-1184,ipv6_push_exthdr()does:skb_push(skb, ipv6_optlen(opt));memcpy(h, opt, ipv6_optlen(opt));
With insufficient headroom, skb_push() underflows and triggers
skb_under_panic() -> BUG():
net/core/skbuff.c:2669-2675(skb_push()callsskb_under_panic())net/core/skbuff.c:207-214(skb_panic()ends inBUG())The
IPV6_DSTOPTScmsg path requiresCAP_NET_RAWin the target netns user namespace (ns_capable(net->user_ns, CAP_NET_RAW)).Root (or any task with
CAP_NET_RAW) can trigger this without user namespaces.An unprivileged
uid=1000user can trigger this if unprivileged user namespaces are enabled and it can create a userns+netns to obtain namespacedCAP_NET_RAW(the attached PoC does this).Local denial of service: kernel BUG/panic (system crash).
---truncated---
References
- https://access.redhat.com/security/cve/CVE-2026-31415
- https://git.kernel.org/stable/c/0bdaf54d3aaddfe8df29371260fa8d4939b4fd6f
- https://git.kernel.org/stable/c/4e453375561fc60820e6b9d8ebeb6b3ee177d42e
- https://git.kernel.org/stable/c/5e4ee5dbea134e9257f205e31a96040bed71e83f
- https://git.kernel.org/stable/c/63fda74885555e6bd1623b5d811feec998740ba4
- https://git.kernel.org/stable/c/872b74900d5daa37067ac676d9001bb929fc6a2a
- https://git.kernel.org/stable/c/9ed81d692758dfb9471d7799b24bfa7a08224c31
- https://git.kernel.org/stable/c/2dbfb003bbf3fc0e94f07efefab0ebcf83029a2a
- https://git.kernel.org/stable/c/4082f9984a694829153115d28c956a3534f52f29