Linux Kernel Out-of-Bounds Access Vulnerability in IPv6 TLV Parsing

A vulnerability allowing out-of-bounds access has been identified in the Linux kernel's IPv6 extension header processing. The issue arises in the 'ipv6_find_tlv' function, where the length of the option is retrieved without verifying if there is more than one byte available to read. This oversight can lead to memory access violations. The vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability can lead to out-of-bounds memory access, which may cause undefined behavior such as memory corruption or potentially allowing arbitrary code execution.

Reproduction

The vulnerability can be reproduced by invoking the 'ipv6_find_tlv' function with a crafted packet that includes an IPv6 extension header. The packet should be constructed in a way that the 'optlen' variable is set without proper length validation, causing the function to read beyond the allocated buffer.

Remediation

Users can upgrade to the latest version of the Linux kernel stable tree, where this vulnerability has been addressed.