Off-by-one Error Affecting kernel-ipaclones-internal package, versions *


Severity

Recommended
0.0
medium
0
10

Based on CentOS security rating.

Threat Intelligence

EPSS
0.17% (7th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-CENTOS8-KERNELIPACLONESINTERNAL-17641651
  • published27 Jun 2026
  • disclosed25 Jun 2026

Introduced: 25 Jun 2026

NewCVE-2026-53263  (opens in a new tab)
CWE-193  (opens in a new tab)

How to fix?

There is no fixed version for Centos:8 kernel-ipaclones-internal.

NVD Description

Note: Versions mentioned in the description apply only to the upstream kernel-ipaclones-internal package and not the kernel-ipaclones-internal package as distributed by Centos. See How to fix? for Centos:8 relevant fixed versions and status.

In the Linux kernel, the following vulnerability has been resolved:

6lowpan: fix off-by-one in multicast context address compression

The second memcpy in lowpan_iphc_mcast_ctx_addr_compress() uses &data[1] as destination and &ipaddr->s6_addr[11] as source, but both should be offset by one: &data[2] and &ipaddr->s6_addr[12] respectively.

This off-by-one has two consequences:

  1. data[1] is overwritten with s6_addr[11], corrupting the RIID field in the compressed multicast address
  2. data[5] is never written, so uninitialized kernel stack memory is transmitted over the network via lowpan_push_hc_data(), leaking kernel stack contents

The correct inline data layout must match what the decompression function lowpan_uncompress_multicast_ctx_daddr() expects: data[0..1] = s6_addr[1..2] (flags/scope + RIID) data[2..5] = s6_addr[12..15] (group ID)

Also zero-initialize the data array as a defensive measure against similar bugs in the future.

CVSS Base Scores

version 3.1