Skip to main content

Linux Kernel CVE-2026-52935

| EUVDEUVD-2026-38705 HIGH
Out-of-bounds Write (CWE-787)
2026-06-24 Linux GHSA-9xww-vmqg-jh2q
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
6.3 MEDIUM

Local PR:L user; AC:H due to the send-timing race to keep a partial send in flight; OOB read yields C:H and possible crash A:H, but no integrity write so I:N.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 08:28 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
Jun 24, 2026 - 09:16 EUVD
CVE Published
Jun 24, 2026 - 07:14 cve.org
HIGH 7.8
CVE Published
Jun 24, 2026 - 07:14 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

xfrm: espintcp: do not reuse an in-progress partial send

espintcp keeps a single in-flight transmit in ctx->partial. Before building a new sk_msg, espintcp_sendmsg() first tries to flush that state through espintcp_push_msgs().

For blocking callers, espintcp_push_msgs() may return success even when the previous partial send is still pending. espintcp_sendmsg() would then reinitialize emsg->skmsg and reuse ctx->partial while the old transfer still owns that state.

Do not rebuild the send message when ctx->partial is still in progress. If espintcp_push_msgs() returns with emsg->len still set, fail the new send instead of overwriting the live partial state.

This is a memory-safety fix: reusing the live partial-send state can leave a stale offset attached to a new sk_msg and lead to an out-of- bounds read in the send path.

tcp_sendmsg_locked() already handles waiting for send buffer memory, so the fix here is just to preserve espintcp's one-message-at-a-time transmit state.

AnalysisAI

Out-of-bounds read in the Linux kernel's xfrm espintcp (ESP-in-TCP IPsec encapsulation) send path allows a local user with a socket using espintcp to corrupt the one-message-at-a-time transmit state, leading to memory disclosure or a crash. The flaw stems from espintcp_sendmsg() reinitializing emsg->skmsg and reusing ctx->partial while a previous partial send is still in flight, attaching a stale offset to a fresh sk_msg. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Local access to host using espintcp IPsec
Delivery
Open espintcp socket
Exploit
Issue blocking send leaving partial in flight
Execution
Trigger sendmsg reusing live ctx->partial
Persist
Stale offset drives out-of-bounds read
Impact
Leak kernel memory or crash

Vulnerability AssessmentAI

Exploitation Exploitation requires a local user able to open and drive an espintcp socket on a kernel where ESP-in-TCP (RFC 8229) IPsec encapsulation is configured and in use - this is the specific feature that must be enabled; the bug is not reachable on systems using UDP-encapsulated or native ESP. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are consistent and point to a real but low-urgency, locally-scoped memory-safety bug. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local unprivileged user on a host that uses ESP-in-TCP IPsec opens an espintcp socket and issues blocking sends timed so a partial transmit is still pending when a new sendmsg() is invoked. The kernel rebuilds the send message over the live partial state, and the stale offset drives an out-of-bounds read in the send path, leaking adjacent kernel/socket memory or crashing the system. …
Remediation Apply the vendor-released kernel update for your stable series - upgrade to 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or mainline 7.1 (or later) as appropriate to your branch; consume these via your distribution's patched kernel package and reboot. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory systems deploying xfrm espintcp (consult infrastructure documentation for IPsec configurations). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-52935 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy