CVE-2026-43501

CRITICAL

ipv6: rpl: reserve mac_len headroom when recompressed SRH grows

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-43501. PoCs published by Anyone202.

AI-analyzed exploit summary This repository provides a functional exploit for CVE-2026-43501, a local privilege escalation (LPE) vulnerability in the Android kernel. The exploit includes a Termux-based management interface with HMAC-SHA256 token authentication, a Flask web server for root management, and a test suite validating the escalation link generation and command injection defenses.

Description

In the Linux kernel, the following vulnerability has been resolved: ipv6: rpl: reserve mac_len headroom when recompressed SRH grows ipv6_rpl_srh_rcv() decompresses an RFC 6554 Source Routing Header, swaps the next segment into ipv6_hdr->daddr, recompresses, then pulls the old header and pushes the new one plus the IPv6 header back. The recompressed header can be larger than the received one when the swap reduces the common-prefix length the segments share with daddr (CmprI=0, CmprE>0, seg[0][0] != daddr[0] gives the maximum +8 bytes). pskb_expand_head() was gated on segments_left == 0, so on earlier segments the push consumed unchecked headroom. Once skb_push() leaves fewer than skb->mac_len bytes in front of data, skb_mac_header_rebuild()'s call to: skb_set_mac_header(skb, -skb->mac_len); will store (data - head) - mac_len into the u16 mac_header field, which wraps to ~65530, and the following memmove() writes mac_len bytes ~64KiB past skb->head. A single AF_INET6/SOCK_RAW/IPV6_HDRINCL packet over lo with a two segment type-3 SRH (CmprI=0, CmprE=15) reaches headroom 8 after one pass; KASAN reports a 14-byte OOB write in ipv6_rthdr_rcv. Fix this by expanding the head whenever the remaining room is less than the push size plus mac_len, and request that much extra so the rebuilt MAC header fits afterwards.

Exploits (1)

nomisec WORKING POC
by Anyone202 · poc
https://github.com/Anyone202/cybermeowfia-termux

This repository provides a functional exploit for CVE-2026-43501, a local privilege escalation (LPE) vulnerability in the Android kernel. The exploit includes a Termux-based management interface with HMAC-SHA256 token authentication, a Flask web server for root management, and a test suite validating the escalation link generation and command injection defenses.

Classification
Working Poc 98%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Android kernel (CVE-2026-43501)
Auth required
Prerequisites: Termux environment on a vulnerable Android device · Initial user-level access to execute the exploit · Python and required dependencies installed
mistral-large-3 · analyzed Jul 11, 2026 Full analysis →

Scores

CVSS v3 9.8
EPSS 0.0047
EPSS Percentile 37.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-131 CWE-787
Status published
Products (28)
linux/Kernel 5.11.0 - 5.15.209linux
linux/Kernel 5.16.0 - 6.1.175linux
linux/Kernel 5.7.0 - 5.10.258linux
linux/Kernel 6.13.0 - 6.18.27linux
linux/Kernel 6.19.0 - 7.0.4linux
linux/Kernel 6.2.0 - 6.6.140linux
linux/Kernel 6.7.0 - 6.12.86linux
Linux/Linux < 5.7
Linux/Linux 5.10.258 - 5.10.*
Linux/Linux 5.15.209 - 5.15.*
... and 18 more
Published May 21, 2026
Tracked Since May 21, 2026