DEBIAN-CVE-2026-43038

In the Linux kernel, the following vulnerability has been resolved:  ipv6: icmp: clear skb2->cb[] in ip6errgenicmpv6unreach()  Sashiko AI-review observed:    In ip6errgenicmpv6unreach(), the skb is an outer IPv4 ICMP error packet   where its cb contains an IPv4 inetskbparm. When skb is cloned into skb2   and passed to icmp6send(), it uses IP6CB(skb2).    IP6CB interprets the IPv4 inetskbparm as an inet6skbparm. The cipso   offset in inetskbparm.opt directly overlaps with dsthao in inet6skbparm   at offset 18.    If an attacker sends a forged ICMPv4 error with a CIPSO IP option, dsthao   would be a non-zero offset. Inside icmp6send(), mip6addrswap() is called   and uses ipv6findtlv(skb, opt->dsthao, IPV6TLVHAO).    This would scan the inner, attacker-controlled IPv6 packet starting at that   offset, potentially returning a fake TLV without checking if the remaining   packet length can hold the full 18-byte struct ipv6destopthao.    Could mip6addrswap() then perform a 16-byte swap that extends past the end   of the packet data into skbsharedinfo?    Should the cb array also be cleared in ip6errgenicmpv6unreach() and   ip6ip6err() to prevent this?  This patch implements the first suggestion.  I am not sure if ip6ip6err() needs to be changed. A separate patch would be better anyway.