EUVD-2026-39478

Zephyr's IPv6 network stack can be prevented from receiving or processing future incoming packets by sending a small number of maliciously fragmented IPv6 packets. When such a packet is handled by the fragment-header processing path, the associated RX network packet buffer allocated from a memory...

Astra Linux – Vulnerabilities in Linux 5.10, Linux 5.15

In the Linux kernel, the following vulnerabilities have been resolved: ipv6: avoided use-after-free in ip6fragment The blamed commit claimed that rcureadlock was held by the callers of ip6fragment. It seems not to always be true, at least for the UDP stack. syzbot reported: BUG: KASAN:...

One (Thread) Can Keep a (PRNG) Secret, but Not Two

We present a novel, practical attack on the IPv6 Fragment ID generation algorithm of XNU, which is the kernel used by Apple products such as macOS and iOS. This attack exploits a race-condition vulnerability in the algorithm's pseudorandom number generator PRNG to cryptanalytically break, learn t...

Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2026-002057)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-002057 advisory. The ip6fragqueue function in net/ipv6/reassembly.c in the Linux kernel before 2.6.36 allows remote attackers to bypass intended network restrictions via overlapping...

CVE-2023-4809

In pf packet processing with a 'scrub fragment reassemble' rule, a packet containing multiple IPv6 fragment headers would be reassembled, and then immediately processed. That is, a packet with multiple fragment extension headers would not be recognized as the correct ultimate payload. Instead a...

CVE-2025-66646

RIOT is an open-source microcontroller operating system, designed to match the requirements of Internet of Things IoT devices and other embedded devices. A vulnerability was discovered in the IPv6 fragmentation reassembly implementation of RIOT OS v2025.07. When receiving an fragmented IPv6 packe...

OPENSUSE-SU-2025:20119-1 Security update for tcpreplay

This update for tcpreplay fixes the following issues: - update to 4.5.2: features added since 4.4.4 - fix/recalculate header checksum for ipv6-frag - IPv6 frag checksum support - AFXDP socket support - tcpreplay -w write into a pcap file - tcpreplay --fixhdrlen - --include and --exclude options -...

CVE-2019-5597

In FreeBSD 11.3-PRERELEASE and 12.0-STABLE before r347591, 11.2-RELEASE before 11.2-RELEASE-p10, and 12.0-RELEASE before 12.0-RELEASE-p4, a bug in the pf IPv6 fragment reassembly logic incorrectly uses the last extension header offset from the last received packet instead of the first packet...

DEBIAN-CVE-2022-48956

In the Linux kernel, the following vulnerability has been resolved: ipv6: avoid use-after-free in ip6fragment Blamed commit claimed rcureadlock was held by ip6fragment callers. It seems to not be always true, at least for UDP stack. syzbot reported: BUG: KASAN: use-after-free in ip6dstidev...

UBUNTU-CVE-2022-48956

In the Linux kernel, the following vulnerability has been resolved: ipv6: avoid use-after-free in ip6fragment Blamed commit claimed rcureadlock was held by ip6fragment callers. It seems to not be always true, at least for UDP stack. syzbot reported: BUG: KASAN: use-after-free in ip6dstidev...

CVE-2023-4809 pf incorrectly handles multiple IPv6 fragment headers

In pf packet processing with a 'scrub fragment reassemble' rule, a packet containing multiple IPv6 fragment headers would be reassembled, and then immediately processed. That is, a packet with multiple fragment extension headers would not be recognized as the correct ultimate payload. Instead a...

CVE-2023-3107 Remote denial of service in IPv6 fragment reassembly

A set of carefully crafted ipv6 packets can trigger an integer overflow in the calculation of a fragment reassembled packet's payload length field. This allows an attacker to trigger a kernel panic, resulting in a denial of service...

SUSE CVE-2020-17469

An issue was discovered in FNET through 4.6.4. The code for IPv6 fragment reassembly tries to access a previous fragment starting from a network incoming fragment that still doesn't have a reference to the previous one which supposedly resides in the reassembly list. When faced with an incoming...

PT-2019-17780 · Freebsd · Freebsd

Name of the Vulnerable Software and Affected Versions: FreeBSD versions 12.0-STABLE before r350828 FreeBSD versions 12.0-RELEASE before 12.0-RELEASE-p10 FreeBSD versions 11.3-STABLE before r350829 FreeBSD versions 11.3-RELEASE before 11.3-RELEASE-p3 FreeBSD versions 11.2-RELEASE before...

kernel: Integer overflow in ip6_find_1stfragopt() causes infinite loop

An integer overflow vulnerability in ip6find1stfragopt function was found. A local attacker that has privileges of CAPNETRAW to open raw socket can cause an infinite loop inside the ip6find1stfragopt function...

Unbreakable Enterprise kernel security update

2.6.32-300.39.2 - ext4: fix undefined behavior in ext4fillflexinfo Xi Wang orabug 16020245 CVE-2012-2100 - Divide by zero in TCP congestion control Algorithm Jesper Dangaard Brouer orabug 16020447 CVE-2012-4565 - ipv6: discard overlapping fragment Luis Henriques orabug 16021354 CVE-2012-4444...

Important: Red Hat Security Advisory: kernel security and bug fix update

Updated kernel packages that fix several security issues and various bugs are now available for Red Hat Enterprise Linux 5.6 Extended Update Support. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System CVSS base scores,...

kernel security and bug fix update

2.6.18-238.5.1.0.1.el5 - scsi fix scsi hotplug and rescan race orabug 10260172 - fix filpclose race Joe Jin orabug 10335998 - fix missing aiocomplete in endio Joel Becker orabug 10365195 - make xenkbd.abspointer=1 by default orabug 67188919 - xen check to see if hypervisor supports memory...