Linux Kernel IPv6 Extension Header Vulnerability Leading to Transport Header Overflow

A vulnerability in the Linux kernel's handling of IPv6 extension headers has been identified, specifically in the 'ipv6_gso_segment' function. This issue arises from the ability to craft packets with excessively long extension headers, causing an overflow in the 'skb->transport_header' field, which is 16 bits and has a limited range. The vulnerability affects the Linux kernel stable tree, particularly in versions prior to the latest commit that addresses this issue.

Impact

Exploitation of this vulnerability can lead to a buffer overflow in the transport header, potentially causing memory corruption or allowing for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by sending a crafted IPv6 packet with very long extension headers. This can be done using a tool like 'syzkaller', which is known to automate the discovery of such vulnerabilities in the Linux kernel.

Remediation

Users can upgrade to the latest version of the Linux kernel stable tree, where this vulnerability has been addressed.