HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-53006Published Modified CNA Linux

CVE-2026-53006: ipv6: fix possible UAF in icmpv6_rcv()

In the Linux kernel, the following vulnerability has been resolved: ipv6: fix possible UAF in icmpv6_rcv() Caching saddr and daddr before pskb_pull() is problematic since skb->head can change. Remove these temporary variables: - We only access &ipv6_hdr(skb)->saddr and &ipv6_hdr(skb)->daddr when net_dbg_ratelimited() is called in the slow path. - Avoid potential future misuse after pskb_pull() call.

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
0
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A use-after-free (UAF) vulnerability exists in the Linux kernel's ICMPv6 receive path, specifically in the icmpv6_rcv() function. The flaw arises because source and destination IPv6 address pointers are cached before pskb_pull() is called; if that operation reallocates the socket buffer's head, the cached pointers reference freed memory. An unauthenticated attacker reachable over the network can exploit this to read sensitive kernel memory, corrupt kernel data structures, or crash the host, with no user interaction required. Patched-image rebuilds at the fix commits are available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection of CVE-2026-53006 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against container images in customer registries and CI/CD pipelines, including custom-built images that bundle their own kernel or kernel modules.

Available
Triage

HarborGuard scores this CVE at 9.8 CRITICAL (CVSS v3.1) and applies per-environment compliance policy weighting to prioritize alert routing to the appropriate team inbox within each customer organization.

Available
Patch

A patched-image rebuild targeting the upstream fix commits is available on HarborGuard for any environment found running an affected kernel version. For customers with auto-remediation enabled, HarborGuard triggers the rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable ICMPv6 code path is reachable over the network; an attacker must be able to send crafted ICMPv6 packets to the target host.

  • AuthenticationNot required

    No account or credential of any kind is required; the attacker sends unauthenticated network packets directly to the affected service.

  • Victim interactionNot required

    Exploitation is fully attacker-driven; no user or administrator on the target system needs to take any action.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental preconditions beyond network access.

Blast Radius

  • A successful attacker can read arbitrary kernel memory, exposing secrets such as cryptographic keys, credentials, or other processes' data mapped into kernel space.
  • The attacker can corrupt kernel data structures, enabling privilege escalation or persistent code execution inside the kernel.
  • The vulnerability can be triggered to crash the affected host entirely, taking down all containerized workloads running on that node.
  • Any container sharing the host kernel, regardless of namespace isolation, is exposed if the host kernel is vulnerable.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication, matching against all images in connected registries and pipelines, including custom kernel-bundling images. Given the CRITICAL severity (9.8) and the fully remote, no-auth exploit path, affected images are flagged at the highest priority tier and routed immediately under applicable compliance policies. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image at a fixed commit, runs the regression suite, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation is not enabled, HarborGuard surfaces the specific fix commits (including 0069813e6ca9, 085e31a811ef, 1e1f0f89ee46, and 38bdbc897c0d) in the finding detail so engineers can target the correct upstream patch. As a compensating control while a rebuild is prepared, network policy isolation restricting inbound ICMPv6 traffic to trusted sources reduces the exploitable attack surface without requiring a kernel update.

See how HarborGuard automates this

Fix available

00069813e6ca9309eca78022bcb3aeb1e9ef90a12085e31a811ef234ef8c3e219c4636dfebfe7e10f1e1f0f89ee4692a64be3f3707ff8ac1ae57b03e738bdbc897c0d83a3e2b925a51b69420f1feba29a5.10.2585.15.2096.1.1756.6.1416.12.916.18.337.0.107.17bff2c8fe5c35ae58bf73104f53db3676e6e5d947c66b368c6ff453f99cb39d84af93e908e51eef2aff0f28f5be803de2452ce702631c021fcd9ce8af996edd7615e686ada141b7f3395025729ff8ccb
Affected packages
  • Linux / Linux
    < 7bff2c8fe5c35ae58bf73104f53db3676e6e5d94 (from 4b3418fba0fe819197e3359d5ddbef84ba2c59de) · < aff0f28f5be803de2452ce702631c021fcd9ce8a (from 4b3418fba0fe819197e3359d5ddbef84ba2c59de) · < 38bdbc897c0d83a3e2b925a51b69420f1feba29a (from 4b3418fba0fe819197e3359d5ddbef84ba2c59de) · < 0069813e6ca9309eca78022bcb3aeb1e9ef90a12 (from 4b3418fba0fe819197e3359d5ddbef84ba2c59de) · < 1e1f0f89ee4692a64be3f3707ff8ac1ae57b03e7 (from 4b3418fba0fe819197e3359d5ddbef84ba2c59de) · < 7c66b368c6ff453f99cb39d84af93e908e51eef2 (from 4b3418fba0fe819197e3359d5ddbef84ba2c59de)
  • Linux / Linux
    4.4
    Fixed in 0, 5.10.258, 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, 7.1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References