What is GHSA-29pf-hv9p-f96v?

GHSA-29pf-hv9p-f96v is a security advisory published by GitHub Security Advisories with Critical severity. In the Linux kernel, the following vulnerability has been resolved: net: ioam6: fix OOB and...

Which CVE IDs does GHSA-29pf-hv9p-f96v cover?

GHSA-29pf-hv9p-f96v covers the following CVE IDs: CVE-2026-43083. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-29pf-hv9p-f96v?

GHSA-29pf-hv9p-f96v has a CVSS v3 base score of 9.1, published by GitHub Security Advisories.

GHSA-29pf-hv9p-f96vCriticalCVSS 9.1

In the Linux kernel, the following vulnerability has been resolved: net: ioam6: fix OOB and...

Vendor

GitHub Security Advisories

Published

May 6, 2026

Last Modified

June 1, 2026

🔗 CVE IDs covered (1)

CVE-2026-43083 →

📋 Description

In the Linux kernel, the following vulnerability has been resolved:

net: ioam6: fix OOB and missing lock

When trace->type.bit6 is set:

if (trace->type.bit6) {
    ...
    queue = skb_get_tx_queue(dev, skb);
    qdisc = rcu_dereference(queue->qdisc);

This code can lead to an out-of-bounds access of the dev->_tx[] array when is_input is true. In such a case, the packet is on the RX path and skb->queue_mapping contains the RX queue index of the ingress device. If the ingress device has more RX queues than the egress device (dev) has TX queues, skb_get_queue_mapping(skb) will exceed dev->num_tx_queues. Add a check to avoid this situation since skb_get_tx_queue() does not clamp the index. This issue has also revealed that per queue visibility cannot be accurate and will be replaced later as a new feature.

While at it, add missing lock around qdisc_qstats_qlen_backlog(). The function __ioam6_fill_trace_data() is called from both softirq and process contexts, hence the use of spin_lock_bh() here.

🔗 CVE IDs covered (1)

📋 Description

🔗 References (5)