{ "affected": [ { "ecosystem_specific": { "urgency": "not yet assigned" }, "package": { "ecosystem": "Debian:12", "name": "linux" }, "ranges": [ { "events": [ { "introduced": "0" } ], "type": "ECOSYSTEM" } ] }, { "ecosystem_specific": { "urgency": "not yet assigned" }, "package": { "ecosystem": "Debian:13", "name": "linux" }, "ranges": [ { "events": [ { "introduced": "0" } ], "type": "ECOSYSTEM" } ] }, { "ecosystem_specific": { "urgency": "not yet assigned" }, "package": { "ecosystem": "Debian:14", "name": "linux" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "6.19.14-1" } ], "type": "ECOSYSTEM" } ] } ], "details": "In the Linux kernel, the following vulnerability has been resolved: net: ioam6: fix OOB and missing lock When trace-\u003etype.bit6 is set: if (trace-\u003etype.bit6) { ... queue = skb_get_tx_queue(dev, skb); qdisc = rcu_dereference(queue-\u003eqdisc); This code can lead to an out-of-bounds access of the dev-\u003e_tx[] array when is_input is true. In such a case, the packet is on the RX path and skb-\u003equeue_mapping contains the RX queue index of the ingress device. If the ingress device has more RX queues than the egress device (dev) has TX queues, skb_get_queue_mapping(skb) will exceed dev-\u003enum_tx_queues. Add a check to avoid this situation since skb_get_tx_queue() does not clamp the index. This issue has also revealed that per queue visibility cannot be accurate and will be replaced later as a new feature. While at it, add missing lock around qdisc_qstats_qlen_backlog(). The function __ioam6_fill_trace_data() is called from both softirq and process contexts, hence the use of spin_lock_bh() here.", "id": "DEBIAN-CVE-2026-43083", "modified": "2026-05-09T08:48:05.458609478Z", "published": "2026-05-06T10:16:21.493Z", "references": [ { "type": "ADVISORY", "url": "https://security-tracker.debian.org/tracker/CVE-2026-43083" } ], "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "type": "CVSS_V3" } ], "upstream": [ "CVE-2026-43083" ] }