CVE-2026-43057 (GCVE-0-2026-43057)

Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-03 05:46
VLAI?
Title
net: correctly handle tunneled traffic on IPV6_CSUM GSO fallback
Summary
In the Linux kernel, the following vulnerability has been resolved: net: correctly handle tunneled traffic on IPV6_CSUM GSO fallback NETIF_F_IPV6_CSUM only advertises support for checksum offload of packets without IPv6 extension headers. Packets with extension headers must fall back onto software checksumming. Since TSO depends on checksum offload, those must revert to GSO. The below commit introduces that fallback. It always checks network header length. For tunneled packets, the inner header length must be checked instead. Extend the check accordingly. A special case is tunneled packets without inner IP protocol. Such as RFC 6951 SCTP in UDP. Those are not standard IPv6 followed by transport header either, so also must revert to the software GSO path.
Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: a0478d7e888028f85fa7785ea838ce0ca09398e2 , < 2094a7cf91b71367b649f991aacc7b579f793d0b (git)
Affected: 2156d9e9f2e483c8c3906c0ea57ea312c1424235 , < ed71cf465c75f5688b07a35d373cd1d6b589c8ea (git)
Affected: 041e2f945f82fdbd6fff577b79c33469430297aa , < 33670f780e0120c3dacda188c512bbffe0b6044c (git)
Affected: 864e3396976ef41de6cc7bc366276bf4e084fff2 , < a98b78116a27e2a57b696b569b2cb431c95cf9b6 (git)
Affected: 864e3396976ef41de6cc7bc366276bf4e084fff2 , < 732fdeb2987c94b439d51f5cb9addddc2fc48c42 (git)
Affected: 864e3396976ef41de6cc7bc366276bf4e084fff2 , < c4336a07eb6b2526dc2b62928b5104b41a7f81f5 (git)
Affected: 794ddbb7b63b6828c75967b9bcd43b086716e7a1 (git)
Create a notification for this product.
    Linux Linux Affected: 6.17
Unaffected: 0 , < 6.17 (semver)
Unaffected: 6.1.168 , ≤ 6.1.* (semver)
Unaffected: 6.6.134 , ≤ 6.6.* (semver)
Unaffected: 6.12.81 , ≤ 6.12.* (semver)
Unaffected: 6.18.22 , ≤ 6.18.* (semver)
Unaffected: 6.19.12 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/core/dev.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2094a7cf91b71367b649f991aacc7b579f793d0b",
              "status": "affected",
              "version": "a0478d7e888028f85fa7785ea838ce0ca09398e2",
              "versionType": "git"
            },
            {
              "lessThan": "ed71cf465c75f5688b07a35d373cd1d6b589c8ea",
              "status": "affected",
              "version": "2156d9e9f2e483c8c3906c0ea57ea312c1424235",
              "versionType": "git"
            },
            {
              "lessThan": "33670f780e0120c3dacda188c512bbffe0b6044c",
              "status": "affected",
              "version": "041e2f945f82fdbd6fff577b79c33469430297aa",
              "versionType": "git"
            },
            {
              "lessThan": "a98b78116a27e2a57b696b569b2cb431c95cf9b6",
              "status": "affected",
              "version": "864e3396976ef41de6cc7bc366276bf4e084fff2",
              "versionType": "git"
            },
            {
              "lessThan": "732fdeb2987c94b439d51f5cb9addddc2fc48c42",
              "status": "affected",
              "version": "864e3396976ef41de6cc7bc366276bf4e084fff2",
              "versionType": "git"
            },
            {
              "lessThan": "c4336a07eb6b2526dc2b62928b5104b41a7f81f5",
              "status": "affected",
              "version": "864e3396976ef41de6cc7bc366276bf4e084fff2",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "794ddbb7b63b6828c75967b9bcd43b086716e7a1",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/core/dev.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.17"
            },
            {
              "lessThan": "6.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.168",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.134",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.81",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.22",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.168",
                  "versionStartIncluding": "6.1.149",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.134",
                  "versionStartIncluding": "6.6.103",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.81",
                  "versionStartIncluding": "6.12.44",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.22",
                  "versionStartIncluding": "6.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.12",
                  "versionStartIncluding": "6.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "6.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.16.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: correctly handle tunneled traffic on IPV6_CSUM GSO fallback\n\nNETIF_F_IPV6_CSUM only advertises support for checksum offload of\npackets without IPv6 extension headers. Packets with extension\nheaders must fall back onto software checksumming. Since TSO\ndepends on checksum offload, those must revert to GSO.\n\nThe below commit introduces that fallback. It always checks\nnetwork header length. For tunneled packets, the inner header length\nmust be checked instead. Extend the check accordingly.\n\nA special case is tunneled packets without inner IP protocol. Such as\nRFC 6951 SCTP in UDP. Those are not standard IPv6 followed by\ntransport header either, so also must revert to the software GSO path."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-03T05:46:27.947Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2094a7cf91b71367b649f991aacc7b579f793d0b"
        },
        {
          "url": "https://git.kernel.org/stable/c/ed71cf465c75f5688b07a35d373cd1d6b589c8ea"
        },
        {
          "url": "https://git.kernel.org/stable/c/33670f780e0120c3dacda188c512bbffe0b6044c"
        },
        {
          "url": "https://git.kernel.org/stable/c/a98b78116a27e2a57b696b569b2cb431c95cf9b6"
        },
        {
          "url": "https://git.kernel.org/stable/c/732fdeb2987c94b439d51f5cb9addddc2fc48c42"
        },
        {
          "url": "https://git.kernel.org/stable/c/c4336a07eb6b2526dc2b62928b5104b41a7f81f5"
        }
      ],
      "title": "net: correctly handle tunneled traffic on IPV6_CSUM GSO fallback",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-43057",
    "datePublished": "2026-05-01T14:15:49.551Z",
    "dateReserved": "2026-05-01T14:12:55.981Z",
    "dateUpdated": "2026-05-03T05:46:27.947Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-43057",
      "date": "2026-05-04",
      "epss": "0.00053",
      "percentile": "0.16307"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-43057\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-01T15:16:52.260\",\"lastModified\":\"2026-05-03T07:16:24.553\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: correctly handle tunneled traffic on IPV6_CSUM GSO fallback\\n\\nNETIF_F_IPV6_CSUM only advertises support for checksum offload of\\npackets without IPv6 extension headers. Packets with extension\\nheaders must fall back onto software checksumming. Since TSO\\ndepends on checksum offload, those must revert to GSO.\\n\\nThe below commit introduces that fallback. It always checks\\nnetwork header length. For tunneled packets, the inner header length\\nmust be checked instead. Extend the check accordingly.\\n\\nA special case is tunneled packets without inner IP protocol. Such as\\nRFC 6951 SCTP in UDP. Those are not standard IPv6 followed by\\ntransport header either, so also must revert to the software GSO path.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/2094a7cf91b71367b649f991aacc7b579f793d0b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/33670f780e0120c3dacda188c512bbffe0b6044c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/732fdeb2987c94b439d51f5cb9addddc2fc48c42\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a98b78116a27e2a57b696b569b2cb431c95cf9b6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c4336a07eb6b2526dc2b62928b5104b41a7f81f5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ed71cf465c75f5688b07a35d373cd1d6b589c8ea\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.