{
  "variant_id": "CVE-2026-43456-ip6gre-variant",
  "created_at": "2026-07-03",
  "variant_summary": "Distinct alternate trigger of CVE-2026-43456's bonding header_ops type-confusion kernel DoS via the IPv6 GRE sink ip6gre_header() (net/ipv6/ip6_gre.c, reading struct ip6_tnl) instead of the original IPv4 GRE sink ipgre_header() (net/ipv4/ip_gre.c, reading struct ip_tunnel). The original reproduction never reached ip6gre_header because its probe configured the ip6gre tunnel WITH a remote address, which prevents ip6gre_header_ops from being assigned (ip6gre_tunnel_init assigns it only when ipv6_addr_any(&parms.raddr)). This variant uses an ip6gre tunnel with NO remote, which assigns ip6gre_header_ops, and reproduces the same kernel BUG_ON/panic DoS on the vulnerable 7.0.0-rc2 kernel. The upstream fix (bond_header_ops, commit 950803f7) is generic and delegates the active slave's header_ops->create to the slave device, so on the fixed kernel ip6gre_header runs with dev=ip6gre1 (correct netdev_priv=struct ip6_tnl, hlen=4) and no crash occurs. CONFIRMED alternate trigger on vulnerable; NOT a bypass (fix covers it).",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "linux-stable",
  "submitted_target": {
    "target_kind": "kernel_source_commit",
    "commit_sha": "e3f5e0f22cfc2371e7471c9fd5b4da78f9df7c69",
    "version": "7.0.0-rc2",
    "ref": "v7.0.0-rc2",
    "display": "Linux 7.0.0-rc2 (commit e3f5e0f22, parent of upstream fix 950803f7) -- the CVE's vulnerable target"
  },
  "variant_target": {
    "target_kind": "kernel_source_commit",
    "commit_sha": "e3f5e0f22cfc2371e7471c9fd5b4da78f9df7c69",
    "version": "7.0.0-rc2",
    "ref": "v7.0.0-rc2",
    "display": "Linux 7.0.0-rc2 (commit e3f5e0f22) -- exact vulnerable kernel on which the ip6gre variant DoS was reproduced (same bzImage as submitted_target; fixed-side control swaps in bonding.ko built after applying fix 950803f7)"
  },
  "same_root_cause_confidence": "high",
  "same_surface_confidence": "medium",
  "claimed_surface": "local kernel DoS via ip6gre_header() type confusion: an IPv6 GRE tunnel created with NO remote (so ip6gre_header_ops is assigned) is enslaved to an active-backup bond; bond_setup_by_slave copies ip6gre_header_ops onto the bond; dev_hard_header(bond) calls ip6gre_header(bond) which dereferences netdev_priv(bond)=struct bonding as struct ip6_tnl",
  "validated_surface": "local_only",
  "required_entrypoint_kind": "local_kernel_runtime",
  "required_entrypoint_detail": "QEMU x86_64 VM booting Linux 7.0.0-rc2 (e3f5e0f22, KASAN); in-VM CAP_NET_ADMIN configuration: ip6gre tunnel with NO remote (local fd00::1) enslaved to an active-backup bond; AF_PACKET SOCK_DGRAM sendto on the bond to invoke dev_hard_header(bond)->ip6gre_header(bond)",
  "attacker_controlled_input": "Create an IPv6 GRE tunnel with NO remote address (ip6gre1, local fd00::1) so that ip6gre_tunnel_init() assigns ip6gre_header_ops; enslave it to an active-backup bond so bond_setup_by_slave() copies ip6gre_header_ops onto bond1; the confused ip6_tnl.hlen field (offset 264 inside struct bonding) holding a sign-bit-set value makes ip6gre_header()'s needed = hlen + sizeof(ipv6hdr) overflow to a negative int; an AF_PACKET SOCK_DGRAM sendto on bond1 triggers dev_hard_header(bond1) -> ip6gre_header(bond1)",
  "trigger_path": "ip link add ip6gre1 type ip6gre local fd00::1 (NO remote -> ip6gre_header_ops assigned); ip link add bond1 type bond mode active-backup; ip link set ip6gre1 master bond1 (bond_setup_by_slave: bond_dev->header_ops = ip6gre_header_ops on vuln / &bond_header_ops on fixed); insmod populate_hlen6.ko (writes 0x961a63cc to netdev_priv(bond1)+offsetof(struct ip6_tnl,hlen)=264); AF_PACKET SOCK_DGRAM sendto on bond1 -> packet_sendmsg -> packet_snd -> dev_hard_header(bond1) -> ip6gre_header(bond1) [t=netdev_priv(bond)=struct bonding read as struct ip6_tnl; t->hlen=0x961a63cc] -> needed=hlen+40 overflows to negative int -> skb_headroom(skb)<needed (unsigned compare, skb_headroom returns unsigned) true -> pskb_expand_head(skb, HH_DATA_ALIGN(needed-headroom),0,GFP_ATOMIC) with nhead<0 -> BUG_ON(nhead<0) -> kernel panic (DoS)",
  "observed_impact_class": "dos",
  "exploitability_confidence": "high",
  "evidence_scope": "production_path",
  "runtime_manifest_present": true,
  "end_to_end_target_reached": true,
  "inferred": false,
  "claim_block_reason": null,
  "blocking_mitigation": "Upstream fix commit 950803f7254721c1c15858fbbfae3deaaeeecb11 introduces bond_header_ops whose bond_header_create() delegates the active slave's header_ops->create to the slave's own device (slave->dev), so netdev_priv() receives the correct struct ip6_tnl of the ip6gre slave. The ip6gre variant does NOT reproduce on the fixed kernel (ip6gre_header runs with dev=ip6gre1, hlen=4, no crash). The bypass is blocked; the fix is complete for this variant.",
  "file_path": "net/ipv6/ip6_gre.c",
  "line_start": 1365,
  "line_end": 1407,
  "secondary_anchors": [
    {
      "file_path": "drivers/net/bonding/bond_main.c",
      "line_start": 1556,
      "line_end": 1564
    },
    {
      "file_path": "net/ipv6/ip6_gre.c",
      "line_start": 1525,
      "line_end": 1533
    },
    {
      "file_path": "net/ipv4/ip_gre.c",
      "line_start": 889,
      "line_end": 930
    },
    {
      "file_path": "include/linux/netdevice.h",
      "line_start": 310,
      "line_end": 320
    }
  ],
  "review_scope_paths": [
    "drivers/net/bonding/bond_main.c",
    "net/ipv6/ip6_gre.c",
    "net/ipv4/ip_gre.c",
    "net/ipv4/ip_tunnel_core.c",
    "include/linux/netdevice.h",
    "include/net/ip6_tunnel.h",
    "include/net/ip_tunnels.h"
  ],
  "artifact_refs": {
    "variant_manifest": "bundle/vuln_variant/variant_manifest.json",
    "validation_verdict": "bundle/vuln_variant/validation_verdict.json",
    "runtime_manifest": "bundle/vuln_variant/runtime_manifest.json",
    "root_cause_equivalence": "bundle/vuln_variant/root_cause_equivalence.json",
    "patch_analysis": "bundle/vuln_variant/patch_analysis.md",
    "source_identity": "bundle/vuln_variant/source_identity.json",
    "repro_log": "bundle/logs/vuln_variant_repro.log",
    "reproducer": [
      "bundle/vuln_variant/reproduction_steps.sh",
      "bundle/vuln_variant/bond_variant_init.c",
      "bundle/vuln_variant/populate_hlen6.c"
    ],
    "vm_logs": [
      "bundle/logs/qemu_var_vuln.log",
      "bundle/logs/qemu_var_fixed.log"
    ]
  }
}
