Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Remote unauthenticated (AV:N/PR:N), but needs a deliberately fragmented packet and active AF_RXRPC so AC:H; impact is an out-of-bounds read (C:L) with possible processing crash (A:L), not code execution.
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: Fix the ACK parser to extract the SACK table for parsing
Fix modification of the received skbuff in rxrpc_input_soft_acks() and a potential incorrect access of the buffer in a fragmented UDP packet (the packet would probably have to be deliberately pre-generated as fragmented) when AF_RXRPC tries to extract the contents of the SACK table by copying out the contents of the SACK table into a buffer before attempting to parse
AF_RXRPC assumes that it can just call skb_condense() and then validly access the SACK table from skb->data and that it will be a flat buffer - but skb_condense() can silently fail to do anything under some circumstances.
Note that whilst rxrpc_input_soft_acks() should be able to parse extended ACKs, the rest of AF_RXRPC doesn't currently support that.
Further, there's then no need to call skb_condense() in rxrpc_input_ack(), so don't.
AnalysisAI
Out-of-bounds buffer access in the Linux kernel's AF_RXRPC (rxrpc) networking subsystem allows a remote attacker who can send crafted RxRPC-over-UDP traffic to trigger improper reads of the SACK table when an incoming ACK packet is deliberately fragmented. AF_RXRPC wrongly assumes skb_condense() always linearizes the packet before parsing soft-ACKs in rxrpc_input_soft_acks(), but skb_condense() can silently no-op, leading to access of a non-flat buffer and in-place modification of the received skbuff. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target to be running AF_RXRPC - the rxrpc kernel module loaded with an active RxRPC/AFS (kafs) socket processing incoming ACK packets; on systems without AFS this code path is not reached. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-style CVSS 3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/C:H/I:H/A:H) is the automated Linux-kernel maximal scoring and substantially overstates real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker able to reach an AF_RXRPC/AFS endpoint on a target host crafts a deliberately fragmented UDP datagram carrying a malformed RxRPC ACK whose SACK table spans a non-linear skb region. When the kernel parses the soft-ACKs without a guaranteed linear buffer, it reads out of bounds and may leak adjacent kernel memory contents or destabilize packet processing. … |
| Remediation | Vendor-released patch: update to a fixed stable kernel - 6.18.36, 7.0.13, or 7.1 or later on the corresponding branch (commits 566c4c1244de50fbff1f89ff93c9d7b0fc256db4, 224298450be5c04d2a6ea1c2a94669d7ebf65d00, 333b6d5bb9f87827ac2639c737bf9613dbae7253 at git.kernel.org/stable). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit infrastructure to identify systems running Linux kernels with AF_RXRPC enabled (check /boot/config or kernel configuration). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39242
GHSA-fp35-jcpc-9wwg