Skip to main content

Linux Kernel CVE-2026-53151

| EUVDEUVD-2026-39242 CRITICAL
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-fp35-jcpc-9wwg
9.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
4.8 MEDIUM

Remote unauthenticated (AV:N/PR:N), but needs a deliberately fragmented packet and active AF_RXRPC so AC:H; impact is an out-of-bounds read (C:L) with possible processing crash (A:L), not code execution.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:16 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
9.8 (CRITICAL)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 09:16 cve.org
CRITICAL 9.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

rxrpc: Fix the ACK parser to extract the SACK table for parsing

Fix modification of the received skbuff in rxrpc_input_soft_acks() and a potential incorrect access of the buffer in a fragmented UDP packet (the packet would probably have to be deliberately pre-generated as fragmented) when AF_RXRPC tries to extract the contents of the SACK table by copying out the contents of the SACK table into a buffer before attempting to parse

AF_RXRPC assumes that it can just call skb_condense() and then validly access the SACK table from skb->data and that it will be a flat buffer - but skb_condense() can silently fail to do anything under some circumstances.

Note that whilst rxrpc_input_soft_acks() should be able to parse extended ACKs, the rest of AF_RXRPC doesn't currently support that.

Further, there's then no need to call skb_condense() in rxrpc_input_ack(), so don't.

AnalysisAI

Out-of-bounds buffer access in the Linux kernel's AF_RXRPC (rxrpc) networking subsystem allows a remote attacker who can send crafted RxRPC-over-UDP traffic to trigger improper reads of the SACK table when an incoming ACK packet is deliberately fragmented. AF_RXRPC wrongly assumes skb_condense() always linearizes the packet before parsing soft-ACKs in rxrpc_input_soft_acks(), but skb_condense() can silently no-op, leading to access of a non-flat buffer and in-place modification of the received skbuff. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach AF_RXRPC UDP endpoint
Delivery
Craft fragmented RxRPC ACK packet
Exploit
SACK table parsed from non-linear skb
Execution
Out-of-bounds read of kernel memory
Impact
Leak data or crash processing

Vulnerability AssessmentAI

Exploitation Exploitation requires the target to be running AF_RXRPC - the rxrpc kernel module loaded with an active RxRPC/AFS (kafs) socket processing incoming ACK packets; on systems without AFS this code path is not reached. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-style CVSS 3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/C:H/I:H/A:H) is the automated Linux-kernel maximal scoring and substantially overstates real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker able to reach an AF_RXRPC/AFS endpoint on a target host crafts a deliberately fragmented UDP datagram carrying a malformed RxRPC ACK whose SACK table spans a non-linear skb region. When the kernel parses the soft-ACKs without a guaranteed linear buffer, it reads out of bounds and may leak adjacent kernel memory contents or destabilize packet processing. …
Remediation Vendor-released patch: update to a fixed stable kernel - 6.18.36, 7.0.13, or 7.1 or later on the corresponding branch (commits 566c4c1244de50fbff1f89ff93c9d7b0fc256db4, 224298450be5c04d2a6ea1c2a94669d7ebf65d00, 333b6d5bb9f87827ac2639c737bf9613dbae7253 at git.kernel.org/stable). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit infrastructure to identify systems running Linux kernels with AF_RXRPC enabled (check /boot/config or kernel configuration). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53151 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy