In the Linux kernel, the following vulnerability has been resolved:
ipv6: sit: reload inner IPv6 header after GSO offloads
ipip6tunnelxmit() caches the inner IPv6 header pointer at function entry and continues using it after iptunnelhandleoffloads().
For GSO skbs, iptunnelhandleoffloads() calls skbheaderunclone(). When the skb header is cloned, skbheaderunclone() can call pskbexpandhead(), which may move the skb head. The pskbexpandhead() contract requires pointers into the skb header to be reloaded after the call.
If the later skbreallocheadroom() branch is not taken, SIT uses the stale iph6 pointer to read the inner hop limit and DS field. That can read from a freed skb head after the old head's remaining clone is released.
Reload iph6 after the offload helper succeeds and before subsequent reads from the inner IPv6 header. Keep the existing reload after skbreallocheadroom(), since that branch can also replace the skb.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53228.json",
"cna_assigner": "Linux"
}