Always-Incorrect Control Flow Implementation in Linux kernel - CVE-2026-43057
Published: May 2, 2026
Vulnerability identifier: #VU128857
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-43057
CWE-ID: CWE-670
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of checksum offload fallback in the IPv6 GSO fallback logic when processing tunneled IPv6 traffic with extension headers or without an inner IP protocol. A local user can send specially crafted packets to cause a denial of service.
The issue affects tunneled traffic, including cases where the inner header rather than the outer network header must be validated.
How to mitigate CVE-2026-43057
Install security update from vendor's repository.
Sources
- https://git.kernel.org/stable/c/2094a7cf91b71367b649f991aacc7b579f793d0b
- https://git.kernel.org/stable/c/33670f780e0120c3dacda188c512bbffe0b6044c
- https://git.kernel.org/stable/c/732fdeb2987c94b439d51f5cb9addddc2fc48c42
- https://git.kernel.org/stable/c/a98b78116a27e2a57b696b569b2cb431c95cf9b6
- https://git.kernel.org/stable/c/c4336a07eb6b2526dc2b62928b5104b41a7f81f5
- https://git.kernel.org/stable/c/ed71cf465c75f5688b07a35d373cd1d6b589c8ea