Skip to main content

Linux Kernel CVE-2026-53228

| EUVDEUVD-2026-39319 CRITICAL
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-5q2p-7748-g6qp
9.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
4.8 MEDIUM

AC:H because triggering needs a GSO/cloned-skb race on a non-default SIT tunnel; C:L for a bounded freed-memory read and A:L for a possible oops; no integrity impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:38 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
9.8 (CRITICAL)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 09:16 cve.org
CRITICAL 9.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ipv6: sit: reload inner IPv6 header after GSO offloads

ipip6_tunnel_xmit() caches the inner IPv6 header pointer at function entry and continues using it after iptunnel_handle_offloads().

For GSO skbs, iptunnel_handle_offloads() calls skb_header_unclone(). When the skb header is cloned, skb_header_unclone() can call pskb_expand_head(), which may move the skb head. The pskb_expand_head() contract requires pointers into the skb header to be reloaded after the call.

If the later skb_realloc_headroom() branch is not taken, SIT uses the stale iph6 pointer to read the inner hop limit and DS field. That can read from a freed skb head after the old head's remaining clone is released.

Reload iph6 after the offload helper succeeds and before subsequent reads from the inner IPv6 header. Keep the existing reload after skb_realloc_headroom(), since that branch can also replace the skb.

AnalysisAI

Use-after-free read in the Linux kernel's IPv6 SIT (IPv6-in-IPv4) tunnel transmit path lets a stale inner-IPv6-header pointer be dereferenced after GSO offload processing relocates the skb head, exposing freed kernel memory or crashing the host. The flaw affects systems running SIT tunnels in ipip6_tunnel_xmit(), where iptunnel_handle_offloads() may call pskb_expand_head() and move the buffer while the code keeps reading the old iph6 pointer. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send IPv6 traffic into a configured SIT tunnel
Delivery
GSO path clones skb and unclones header
Exploit
pskb_expand_head moves skb head
Execution
driver reads freed inner IPv6 header
Impact
leak kernel memory or crash host

Vulnerability AssessmentAI

Exploitation Exploitation requires the target host to have an IPv6-in-IPv4 SIT tunnel configured and active (ipip6_tunnel_xmit must run) - this is a non-default configuration and the primary limiting factor. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals conflict sharply. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario On a host configured as a SIT tunnel endpoint, an attacker (or normal traffic) drives packets through the tunnel such that the transmit path processes a cloned, GSO-eligible skb; the offload helper reallocates the skb head, and the driver then reads the inner hop-limit and DS fields through the freed pointer, potentially leaking stale kernel memory contents into emitted packets or oopsing the kernel. No public proof-of-concept is identified at time of analysis, and reliable triggering depends on winning the GSO/clone timing rather than a deterministic single request.
Remediation Vendor-released patch: upgrade to a fixed stable kernel - 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1 (or your distribution's backport referencing these git.kernel.org commits, e.g. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify systems running IPv6 SIT tunnels and assess exposure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53228 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy