CVE-2026-43164 in Linux
Zusammenfassung
von VulDB • 28.05.2026
Implied question: **What is the cause of this kernel crash (BUG/Oops) shown in the stack trace, and how can it be fixed?**
### Analysis of the Stack Trace
This is a **kernel NULL pointer dereference** or similar memory corruption bug triggered during an IPv6 UDP send operation. Here's the breakdown:
#### 1. **Trigger Point** - The crash occurs in user-space via `sys_sendto` (`__x64_sys_sendto`), which sends an IPv6 UDP packet. - The path goes through: ``` udpv6_sendmsg → udp_v6_push_pending_frames → udp_v6_send_skb → ip6_send_skb → ip6_output → ip6_finish_output → __ip6_finish_output → __dev_queue_xmit ``` - The crash happens inside `__dev_queue_xmit` (net/core/dev.c:4856), specifically after `rcu_read_unlock_bh`.
#### 2. **Key Clues** - **RIP**: `0x7f67b4d9c629` — This is a **user-space address** (starts with `0x7f...`), not a kernel address. This is highly unusual and suggests: - The kernel jumped to an invalid/corrupted function pointer. - Or, more likely, this is a **KASAN/UBSAN/BUG** report where the RIP shown is from the **user-space context** that triggered the fault, but the actual crash happened in kernel space. However, the RIP here looks like a user-space library address (e.g., glibc). This often happens when the kernel oops is reported with the user-space RIP that caused the syscall. - **More importantly**: The actual crash location is **inside `__dev_queue_xmit`** at `net/core/dev.c:4856`.
- **RAX: `0xffffffffffffffda`** — This is `-42` in signed 64-bit, or `0xffffffda` in unsigned. This is a common error code (`-EINVAL` is `-22`, `-EFAULT` is `-14`, `-42` is `-EOPNOTSUPP` or similar). But more critically, **RAX is often used to hold the return value or a pointer**. If this is a NULL dereference, RAX might be the pointer that was NULL.
- **The crash is in `__dev_queue_xmit`**. Looking at Linux kernel source around `net/core/dev.c:4856` (this line number varies by kernel version), this function is responsible for queuing a packet to a network device's transmit queue.
#### 3. **Most Likely Cause** The most common cause of a crash in `__dev_queue_xmit` during IPv6 UDP send is:
- **NULL `skb->dst` or corrupted `dst` entry**: The IPv6 output path expects `skb->dst` to be set. If it's NULL or corrupted, dereferencing it in `__dev_queue_xmit` (e.g., to get the device or route) will crash. - **Corrupted `net_device` pointer**: If `skb->dev` or the device's transmit queue is corrupted. - **RCU race condition**: The trace shows `rcu_read_unlock_bh` just before the crash. If an RCU-protected pointer was accessed after being freed, this could cause a crash. However, the `rcu_read_unlock_bh` is just exiting an RCU read-side critical section; the crash likely happened **during** the RCU read section or due to a use-after-free.
#### 4. **Specific Bug Pattern** In recent Linux kernels, there have been bugs related to: - **IPv6 route caching corruption**: If the route cache is corrupted, `skb->dst` may point to freed memory. - **UDP socket with invalid destination**: If the user sends to an invalid IPv6 address, the routing lookup may fail or return a corrupted route. - **Kernel bug in `ip6_finish_output`**: If `ip6_finish_output` fails to set up the destination properly, `__dev_queue_xmit` will crash.
### How to Fix/Debug
1. **Check Kernel Version**: This bug may have been fixed in newer kernels. Check if your kernel version is affected by known CVEs or bug reports related to IPv6 UDP send crashes.
2. **Enable KASAN**: Compile the kernel with `CONFIG_KASAN=y` to get a detailed stack trace showing exactly which pointer was NULL or invalid.
3. **Check for Corrupted Routes**: ```bash ip -6 route show ``` Ensure the routing table is valid.
4. **Reproduce with Minimal Test Case**: ```c #
If you want to get best quality of vulnerability data, you may have to visit VulDB.