HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-53228Published Modified CNA Linux

CVE-2026-53228: ipv6: sit: reload inner IPv6 header after GSO offloads

In the Linux kernel, the following vulnerability has been resolved: ipv6: sit: reload inner IPv6 header after GSO offloads ipip6_tunnel_xmit() caches the inner IPv6 header pointer at function entry and continues using it after iptunnel_handle_offloads(). For GSO skbs, iptunnel_handle_offloads() calls skb_header_unclone(). When the skb header is cloned, skb_header_unclone() can call pskb_expand_head(), which may move the skb head. The pskb_expand_head() contract requires pointers into the skb header to be reloaded after the call. If the later skb_realloc_headroom() branch is not taken, SIT uses the stale iph6 pointer to read the inner hop limit and DS field. That can read from a freed skb head after the old head's remaining clone is released. Reload iph6 after the offload helper succeeds and before subsequent reads from the inner IPv6 header. Keep the existing reload after skb_realloc_headroom(), since that branch can also replace the skb.

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
0
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A use-after-free vulnerability exists in the Linux kernel's IPv6-in-IPv4 SIT (Simple Internet Transition) tunnel driver. It is reachable over the network without any authentication and requires no user interaction, meaning a remote attacker can trigger it by sending crafted network packets to an affected host. Successful exploitation gives the attacker full read, write, and availability impact, including the ability to execute arbitrary code or crash the system. A patched-image rebuild at the identified fix commits (including the 5.10.259 stable branch) is available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection of CVE-2026-53228 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle an affected Linux kernel version. Any image exposing a kernel in the affected range is flagged automatically, with no manual feed subscription required.

Available
Triage

HarborGuard scores this CVE at 9.8 Critical (CVSS v3.1) and surfaces it at the top of the severity queue in each customer environment. Per-environment compliance policy weighting is applied so the finding is routed to the correct team inbox, whether that is a platform security team, an SRE group, or a developer owning the affected workload.

Available
Patch

A patched-image rebuild pinned to the upstream fix commits (including stable tag 5.10.259) becomes available on HarborGuard the moment the fix versions are resolvable in the relevant package feed. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs the configured regression suite against the new image, and opens a pull request against affected workloads; for high and critical severity issues, the median time from CVE publication to a merged patch PR in auto-remediation environments is around 90 minutes.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable code path is reachable over the network; an attacker must be able to send packets to the target host's SIT tunnel interface from an external network position.

  • AuthenticationNot required

    No credentials or account of any privilege level are needed to trigger the vulnerability; unauthenticated packet delivery to the tunnel is sufficient.

  • Victim interactionNot required

    No user or administrator action is required; the kernel processes incoming tunnel packets automatically without any human interaction.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and imposes no special preconditions such as race conditions, memory-layout dependencies, or unusual configuration requirements.

Blast Radius

  • A successful attacker reads kernel memory from a freed skb head, exposing sensitive in-flight packet data including inner IPv6 headers, hop limits, and DS fields that may contain session or routing information.
  • The attacker can write through the stale pointer, corrupting kernel heap structures and enabling privilege escalation or arbitrary kernel code execution.
  • Heap corruption or a null-pointer dereference triggered by the stale pointer can crash the kernel, taking down all workloads on the affected host.
  • Any container or VM sharing the affected host kernel is exposed regardless of network namespace isolation, because the vulnerable code runs in shared kernel context.

How HarborGuard Handles This

Available on HarborGuard: images containing a Linux kernel version in the affected range are matched against this CVE within minutes of ingestion and flagged Critical (9.8). Where compliance policy permits, a rebuild against the patched kernel version (stable branch 5.10.259 or the identified upstream fix commits) is made available immediately; for customers who opt into auto-remediation, HarborGuard rebuilds the image, executes the configured regression suite, and opens a pull request against affected workloads, with a median end-to-end time of around 90 minutes for Critical-severity findings. Because the vulnerability is a kernel-level use-after-free reachable by unauthenticated network packets, customers who cannot immediately apply the patch should consider adding network-policy rules to restrict access to SIT tunnel endpoints, applying egress filtering to limit which sources can deliver IPv6-in-IPv4 encapsulated traffic, and auditing whether SIT tunnels are actually required in their workloads. HarborGuard will re-check advisory status on every ingest cycle and will surface the patched rebuild as soon as a qualifying fix version resolves in the upstream feed.

See how HarborGuard automates this

Fix available

00bfa7bba1f41aaf5f0604dc712bb4701493e3aa01132e5edc2866c3530be17622153a597095f0e432fa49b2715e1bad12ce3b0fa64e234d9582c81935.10.2595.15.21059f80c919713250fe5d25a4d9aea4e49580fa1d46.1.1766.6.1436.12.946.18.367.0.137.19c67b44edb3598d234efae6e44649eb993c03da5cb658c2f5f7977c2a1c77c9f239f4bc8196edb5cf0e42f0c4337b1f220de1ddd63f47197c7dee4defddd41445a0537b093e6b3f6232c9933cad1e48b
Affected packages
  • Linux / Linux
    < fddd41445a0537b093e6b3f6232c9933cad1e48b (from 14909664e4e192f4c6f6fcdccd9919af7cf783ab) · < 1132e5edc2866c3530be17622153a597095f0e43 (from 14909664e4e192f4c6f6fcdccd9919af7cf783ab) · < 9c67b44edb3598d234efae6e44649eb993c03da5 (from 14909664e4e192f4c6f6fcdccd9919af7cf783ab) · < 0bfa7bba1f41aaf5f0604dc712bb4701493e3aa0 (from 14909664e4e192f4c6f6fcdccd9919af7cf783ab) · < 59f80c919713250fe5d25a4d9aea4e49580fa1d4 (from 14909664e4e192f4c6f6fcdccd9919af7cf783ab) · < 2fa49b2715e1bad12ce3b0fa64e234d9582c8193 (from 14909664e4e192f4c6f6fcdccd9919af7cf783ab)
  • Linux / Linux
    3.18
    Fixed in 0, 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, 7.1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References