{
  "variant_id": "CVE-2026-43456-ip6gre-variant",
  "claim_outcome": "CONFIRMED_ALTERNATE_TRIGGER_NOT_BYPASS",
  "variant_kind": "alternate_trigger",
  "variant_confirmed_on_vulnerable": true,
  "bypass_confirmed": false,
  "fix_covers_variant": true,
  "repro_result": "confirmed_on_vulnerable_only",
  "validated_surface": "local_only",
  "evidence_scope": "production_path",
  "claimed_impact_class": "dos",
  "observed_impact_class": "dos",
  "crash_observed_on_vulnerable": true,
  "crash_observed_on_fixed": false,
  "end_to_end_target_reached": true,
  "exploitability_confidence": "high",
  "variant_sink": "net/ipv6/ip6_gre.c:ip6gre_header (struct ip6_tnl, ip6_tnl.hlen offset 264 inside struct bonding)",
  "original_sink": "net/ipv4/ip_gre.c:ipgre_header (struct ip_tunnel, ip_tunnel.hlen offset 160 inside struct bonding)",
  "same_root_cause_confidence": "high",
  "same_surface_confidence": "medium",
  "vulnerable_commit": "e3f5e0f22cfc2371e7471c9fd5b4da78f9df7c69",
  "fix_commit": "950803f7254721c1c15858fbbfae3deaaeeecb11",
  "vuln_observation": "ip6gre type confusion + kernel DoS reproduced on vulnerable 7.0.0-rc2 (e3f5e0f22): ip6gre_header ran with dev=bond1 (netdev_priv(bond1)=struct bonding read as struct ip6_tnl); populate_hlen6 wrote 0x961a63cc into the confused ip6_tnl.hlen (offset 264); needed=hlen+40 overflowed to a negative int; pskb_expand_head() hit BUG_ON(nhead<0) -> kernel panic. hdr=[CVE-2026-43456 ip6gre_header: dev=bond1 hlen=-1776655412 needed=-1776655372 headroom=288] pop=[CVE-2026-43456 VAR(ip6gre): bond1 priv=ffff8881044ea9c0 ip6_tnl.hlen offset=264 old=0x00000000(0) new=0x961a63cc(-177665] crash=[[   13.021875] kernel BUG at net/core/skbuff.c:2306!\r\n[   13.022704] Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI\r\n[ ]",
  "fixed_observation": "On the fixed kernel (bond_header_ops, fix 950803f7) ip6gre_header ran with dev=ip6gre1 (correct slave device, netdev_priv=struct ip6_tnl of ip6gre1, hlen=4); no crash; [init] RESULT: NOT VULNERABLE (no kernel crash; fixed bond_header_ops used the slave ip6gre1 device)\r. hdr=[CVE-2026-43456 ip6gre_header: dev=ip6gre1 hlen=4 needed=44 headroom=288]",
  "blocking_mitigation": "Upstream bond_header_ops (fix 950803f7) delegates the active slave's header_ops->create to the slave's own device, so netdev_priv() receives the correct struct ip6_tnl of the ip6gre slave; the ip6gre variant does not reproduce on the fixed kernel.",
  "recommendation": "No additional fix required: the upstream bond_header_ops wrapper is generic and delegates the active slave's header_ops->create (here ip6gre_header) to the slave device, so netdev_priv() receives the correct struct ip6_tnl. The ip6gre alternate sink is covered. The fix is complete for both the ipgre and ip6gre create-type-confusion paths. (Advisory only: the fix drops .cache/.cache_update/.validate/.parse_protocol on non-Ethernet bonds by replacing header_ops with a create+parse-only wrapper; those callbacks are not present on the GRE tunnel header_ops and are NULL-safe at all callers, so this is a functional limitation, not a security gap.)",
  "inferred": false
}