CVE-2026-46037 PUBLISHED

ipv4: icmp: validate reply type before using icmp_pointers

Assigner: Linux
Reserved: 13.05.2026 Published: 27.05.2026 Updated: 27.05.2026

In the Linux kernel, the following vulnerability has been resolved:

ipv4: icmp: validate reply type before using icmp_pointers

Extended echo replies use ICMP_EXT_ECHOREPLY as the outbound reply type. That value is outside the range covered by icmp_pointers[], which only describes the traditional ICMP types up to NR_ICMP_TYPES.

Avoid consulting icmp_pointers[] for reply types outside that range, and use array_index_nospec() for the remaining in-range lookup. Normal ICMP replies keep their existing behavior unchanged.

Product Status

Vendor Linux
Product Linux
Versions Default: unaffected
  • affected from d329ea5bd8845f0b196bf41b18b6173340d6e0e4 to 92e7c209036dcc0e8ffdf806fdfd3645b263bea5 (excl.)
  • affected from d329ea5bd8845f0b196bf41b18b6173340d6e0e4 to bc64a66e0b9ad937d3d49934242ee62b01ba9a94 (excl.)
  • affected from d329ea5bd8845f0b196bf41b18b6173340d6e0e4 to c2178ff1c70ebfc2ab9651b230c58a34683db759 (excl.)
  • affected from d329ea5bd8845f0b196bf41b18b6173340d6e0e4 to d700c34a5d186b9ba0715bcb19e0ff80ffbfbfc1 (excl.)
  • affected from d329ea5bd8845f0b196bf41b18b6173340d6e0e4 to 67bf002a2d7387a6312138210d0bd06e3cf4879b (excl.)
Vendor Linux
Product Linux
Versions Default: affected
  • Version 5.13 is affected
  • unaffected from 0 to 5.13 (excl.)
  • unaffected from 6.6.140 to 6.6.* (incl.)
  • unaffected from 6.12.86 to 6.12.* (incl.)
  • unaffected from 6.18.27 to 6.18.* (incl.)
  • unaffected from 7.0.4 to 7.0.* (incl.)
  • unaffected from 7.1-rc1 to * (incl.)

References