FixVibe
Not automatically checkedhigh

IPv6 Specification ICMP Packet Too Big (PTB) Fragmentation Vulnerability (CVE-2016-10142)

An issue in the IPv6 protocol specification regarding ICMP Packet Too Big (PTB) messages allows attackers to exploit IP fragmentation behaviors across various IPv6 implementations, potentially leading to denial of service or security control bypasses.

CVE-2016-10142CWE-17

Attacker Impact

An attacker can exploit vulnerabilities in IPv6 fragmentation and Path MTU Discovery (PMTUD) to bypass security controls, such as firewalls or intrusion detection systems, or to cause a denial of service on the target system [S1]. By manipulating ICMPv6 Packet Too Big (PTB) messages, an attacker can force a connection to use fragmentation unnecessarily or fragment packets in a way that evades deep packet inspection [S1].

Root Cause

The issue stems from IPv6 protocol behavior around ICMPv6 Packet Too Big messages and IP fragmentation [S1]. Fragmentation can create security-control evasion and reassembly resource risks, and implementations or network devices that handle atomic fragments or invalid MTU reductions poorly can expose denial-of-service conditions [S1]. Because this is a protocol-level issue, exposure depends on the operating system, network stack, firewall, router, CDN, and path behavior in front of the application [S1].

Concrete Fixes

Mitigation relies on strict network-level filtering and updated network stacks:

  • Enforce RFC7112-style filtering: Configure firewalls and routers to drop IPv6 packets where the complete IPv6 header chain is not present in the first fragment [S1].
  • Validate and rate-limit ICMPv6 PTB: Apply boundary controls that rate-limit or validate ICMPv6 Packet Too Big messages while preserving legitimate Path MTU Discovery [S1].
  • Enforce the IPv6 minimum MTU: Ensure hosts and network devices ignore PTB messages that attempt to drive MTU below the IPv6 minimum of 1280 bytes [S1].
  • Keep network stacks and appliances patched: Apply vendor updates for operating systems, routers, firewalls, load balancers, and hypervisors that process IPv6 fragmentation and PMTUD [S1].

Why FixVibe will not check this automatically

FixVibe is keeping this article as a research note rather than shipping an automatic website check for CVE-2016-10142.

The proposed signal is not a normal web, DNS, BaaS, or repository signal. A trustworthy check would require sending raw IPv6/ICMP fragmentation and Packet Too Big traffic and then observing network-stack behavior. That is privileged network-service testing outside FixVibe's current verified URL scan boundary, and it can affect Path MTU Discovery if implemented incorrectly.

The evidence would also be hard to interpret from a SaaS web scanner. CDNs, firewalls, load balancers, and transit paths commonly rewrite, rate-limit, or drop ICMPv6 and fragmented IPv6 traffic before it reaches the origin. A blocked or accepted packet could describe the path in front of the app rather than the customer's host, so reporting this as a live FixVibe vulnerability from a standard website scan would overstate what FixVibe verified.

Treat this research note as operator guidance: inventory IPv6 exposure, validate router and firewall handling in a controlled network test, keep network devices and host kernels patched, and enforce the IPv6 minimum MTU and fragment-filtering controls. A future network-service scan mode could revisit this only with explicit host/path authorization, safe packet-rate limits, and wording that separates path behavior from confirmed host exposure.