Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Network-reachable but requires non-default TIPC plus heap grooming to exploit (AC:H); impact is primarily a kernel crash (A:H) with limited integrity and no confidentiality loss.
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
tipc: fix double-free in tipc_buf_append()
tipc_msg_validate() can potentially reallocate the skb it is validating, freeing the old one. In tipc_buf_append(), it was being called with a pointer to a local variable which was a copy of the caller's skb pointer.
If the skb was reallocated and validation subsequently failed, the error handling path would free the original skb pointer, which had already been freed, leading to double-free.
Fix this by checking if head now points to a newly allocated reassembled skb. If it does, reassign *headbuf for later freeing operations.
AnalysisAI
Memory corruption in the Linux kernel's TIPC (Transparent Inter-Process Communication) protocol stack allows remote attackers to trigger a double-free in tipc_buf_append() during message reassembly, where tipc_msg_validate() may reallocate and free the working skb while the error path frees a now-stale pointer. Affected systems are those running a vulnerable kernel (introduced around 4.15-era code, present across 5.10-7.0 branches) with the TIPC subsystem in use; successful exploitation can crash the kernel and, depending on heap conditions, potentially lead to privilege escalation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires the target to have the Linux TIPC subsystem active - i.e. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals conflict sharply. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with network reach to a host that has the TIPC module loaded sends a sequence of crafted, fragmented TIPC messages whose reassembly forces tipc_msg_validate() to reallocate the skb and then fail validation, triggering the double-free in tipc_buf_append(). The resulting kernel heap corruption most reliably panics the target (DoS) and could, with significant additional heap-grooming effort, be steered toward privilege escalation. … |
| Remediation | Vendor-released patch: upgrade to a fixed stable kernel - 5.10.258, 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, or 7.1 (or later in each series), applying the build your distribution ships that incorporates the corresponding git.kernel.org/stable commit. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Scan production and non-production Linux systems for kernel versions 5.10-7.0 and verify TIPC subsystem status using 'grep -i tipc /boot/config-*' or 'lsmod | grep tipc'. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-763 – Release of Invalid Pointer or Reference
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38861
GHSA-m86q-cgj9-94c8