DF-0312
Unchecked ifindex2ifnet[] indexing from embedded address scope-id on loopback output
Summary
Loopback branch(:577,:579) ifindex2ifnet[ntohs(s6_addr16[1])] with no bounds check. Contrast IPV6_PKTINFO path validates against if_index(:2628-2631). Crafted raw socket with bogus zone id -> OOB read of ifindex2ifnet table. Kernel address selection normally prevents.