Mitigating CVE-2026-43037 (ip6_tunnel) on Rocky Linux 8, 9, 10, CIQ Bridge, and LTS Variants
Introduction
CVE-2026-43037 is a flaw in the Linux kernel's ip6_tunnel driver, in the ICMP error handler ip4ip6_err() for IPv4-in-IPv6 (ip4ip6) tunnels. The handler does not clear the socket buffer control block (skb2->cb[]) before reusing the buffer, leaving stale control-block data that the error path then acts on. The upstream fix clears skb2->cb[] in ip4ip6_err().
The vulnerable code lives in the ip6_tunnel kernel module and is only reachable on systems that have an IPv4-in-IPv6 tunnel configured. This article covers Rocky Linux 8, 9, and 10, CIQ Bridge (CentOS 7.9 extended lifecycle), and the CIQ RLC Pro and RLC Pro LTS variants. It describes what is affected, the current patch status, and how to reduce exposure on systems that use these tunnels until a patched kernel is available.
Problem
ip6_tunnel handles IPv4-in-IPv6 encapsulation (ip4ip6 / ip6tnl tunnel devices). When the kernel receives an ICMP error for traffic carried in such a tunnel, ip4ip6_err() processes a cloned skb without first clearing its control block. The stale cb[] contents are then interpreted by the error path, which can lead to out-of-bounds handling of the buffer.
The vulnerable path is only present when an IPv4-in-IPv6 tunnel exists on the system, because ip6_tunnel is not loaded until such a tunnel device is created. Systems with no ip4ip6/ip6tnl tunnel do not load the module and do not expose this code.
Treat the following as affected when they have an IPv4-in-IPv6 tunnel configured, unless they are running a patched kernel (none is available yet, see Status):
- Rocky Linux 8, 9, and 10 community releases
- RLC Pro LTS 8.6, 9.2, 9.4, and 9.6
- RLC Pro 8 (el8_10), RLC Pro 9 (el9_8), and RLC Pro 10 (el10_2)
- RLC Pro FIPS variants on 8.6
- CIQ Bridge (CentOS 7.9)
This is a networking flaw, not architecture-specific. It affects x86_64 and arm64 alike.
Status
- No patched kernel is available yet, as of 2026-06-11. CIQ is tracking the fix across the affected Rocky Linux 8, 9, and 10, LTS, FIPS, and CIQ Bridge kernels. This article will be updated with exact patched kernel versions and a Patched Kernels table once builds are released.
- Recommended interim action: if you do not use IPv4-in-IPv6 tunnels, confirm
ip6_tunnelis not loaded and, optionally, block it from loading (see Mitigation). If you do use these tunnels, plan to install the patched kernel as soon as it is published, since the module-block mitigation will break your tunnels. - Architecture: both x86_64 and arm64 are affected.
- Open a support case if you need help confirming exposure on your fleet, assessing tunnel impact, or tracking patched kernel availability for a specific CIQ variant.
Patched Kernels
No patched kernels are available yet. CIQ will populate the table below once builds are released.
| Variant | Patched Kernel Version | Released |
|---|---|---|
| RLC Pro LTS 8.6 | pending | pending |
| RLC Pro LTS 9.2 | pending | pending |
| RLC Pro LTS 9.4 | pending | pending |
| RLC Pro LTS 9.6 | pending | pending |
| RLC Pro 8 (el8_10) | pending | pending |
| RLC Pro 9 (el9_8) | pending | pending |
| RLC Pro 10 (el10_2) | pending | pending |
| RLC Pro FIPS 8.6 | pending | pending |
| CIQ Bridge (CentOS 7.9) | pending | pending |
| Rocky Linux 8 / 9 / 10 (Community) | pending | pending |
Confirm what is running on a given system with:
uname -r
Mitigation
The exposure is conditional: the vulnerable code is only reachable when an IPv4-in-IPv6 tunnel is configured. The right mitigation depends on whether you use these tunnels.
First, determine whether the module is in use
Check whether ip6_tunnel is loaded and whether any ip4ip6/ip6tnl tunnel devices exist:
lsmod | grep -E '^ip6_tunnel'
ip -d link show type ip6tnl
If lsmod shows nothing and ip -d link show type ip6tnl lists no devices, the system is not currently exposed through this path. If a tunnel device is listed, the module is in use and a module block will break it.
If you do not use IPv4-in-IPv6 tunnels: block the module
On systems that do not use ip4ip6/ip6tnl tunnels, prevent the module from loading so the vulnerable handler cannot be reached.
⚠️ WARNING This blocks all IPv4-in-IPv6 (ip4ip6 / ip6tnl) tunneling. Do not apply it on any system that uses these tunnels. It does not affect ordinary IPv6 traffic, GRE, WireGuard, or IPsec; it only affects the ip6_tunnel encapsulation driver. Validate against your network configuration before applying fleet-wide.
The vulnerable handler, ip4ip6_err(), lives in ip6_tunnel.ko. With the module blocked from loading, the function cannot be reached.
Install the modprobe override:
echo "install ip6_tunnel /bin/false" | sudo tee /etc/modprobe.d/cve-2026-43037.conf
If the module is already loaded but no tunnel is active, unload it so the override takes effect immediately:
sudo rmmod ip6_tunnel
If rmmod reports the module is in use, a tunnel device still exists. Do not force the unload on a production system; identify and remove the tunnel during a maintenance window, or wait for the patched kernel instead.
If you do use IPv4-in-IPv6 tunnels
There is no software mitigation that preserves the tunnels. Plan to install the patched kernel as soon as it is published. In the interim, limit who can send traffic to the tunnel endpoints to your trusted networks, since the vulnerable handler is driven by ICMP errors associated with tunneled traffic.
Verification
If you applied the module block, confirm the module is not loaded:
lsmod | grep -E '^ip6_tunnel'
No output means the module is not currently loaded. Confirm the override is in place and honored:
cat /etc/modprobe.d/cve-2026-43037.conf
sudo modprobe -n -v ip6_tunnel
modprobe -n -v should print install /bin/false. If it resolves to a .ko path, re-check that the file is present and readable.
Resolution
When CIQ publishes the patched kernel for your variant, install it and reboot.
On Rocky Linux 8, 9, and 10 and the RLC Pro LTS and FIPS variants, the patched kernel comes from the configured CIQ repositories with no additional setup:
sudo dnf update kernel*
sudo reboot
On CIQ Bridge (CentOS 7.9), use yum instead, with the patched kernel from the CIQ Bridge repository:
sudo yum update kernel*
sudo reboot
After reboot, confirm with uname -r that the running kernel matches the published patched version.
If you applied the module block and you actually need IPv4-in-IPv6 tunnels, remove the override after updating:
sudo rm /etc/modprobe.d/cve-2026-43037.conf
sudo modprobe ip6_tunnel
Notes
- This is a conditional-exposure vulnerability. A system with no IPv4-in-IPv6 tunnel does not load
ip6_tunneland does not expose the vulnerable handler. This is the key fact for triaging scanner hits against this CVE. - It is unrelated to the Dirty Frag and Fragnesia page-cache corruption vulnerabilities. The ESP module-block mitigations for those CVEs do not address this one, and blocking
ip6_tunneldoes not address those. - CIQ Bridge (CentOS 7.9) is affected and is being tracked alongside the Rocky Linux variants.