Skip to main content

Linux Kernel CVE-2026-53233

| EUVDEUVD-2026-39324 HIGH
Double Free (CWE-415)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-wr67-pp59-29qp
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local netlink caller (AV:L, PR:L); AC:H because the double-free only fires when genlmsg_reply() is forced to fail (full rcvbuf), and kernel memory corruption yields C/I/A:H.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 07, 2026 - 23:53 vuln.today
CVSS changed
Jul 07, 2026 - 23:52 NVD
7.8 (HIGH)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 09:16 nvd
HIGH 7.8

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

netdev: fix double-free in netdev_nl_bind_rx_doit()

Sashiko flags that genlmsg_reply() always consumes the skb. The error path calls nlmsg_free(rsp) so we can't jump directly to it. Let's not unbind, just propagate the error to the user. This is the typical way of handling genlmsg_reply() failures. They shouldn't happen unless user does something silly like calling the kernel with an already-full rcvbuf.

AnalysisAI

Local memory corruption (double-free) in the Linux kernel netdev generic-netlink interface affects the device-memory RX binding path (netdev_nl_bind_rx_doit) in kernels 7.1-rc1 through 7.1-rc7 and backport-affected stable branches. Because genlmsg_reply() unconditionally consumes the reply skb, the buggy error path then calls nlmsg_free() on that same buffer, freeing it a second time; a local user able to reach the BIND_RX netlink command and force a reply failure can trigger the flaw. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local access to vulnerable host
Delivery
Reach netdev BIND_RX netlink command
Exploit
Force genlmsg_reply() failure via full rcvbuf
Execution
Trigger double-free of reply skb
Persist
Corrupt kernel slab allocator state
Impact
Escalate toward use-after-free / root

Vulnerability AssessmentAI

Exploitation Exploitation requires local access to a vulnerable kernel and the ability to invoke the netdev generic-netlink family's BIND_RX command (netdev_nl_bind_rx_doit), i.e. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals point to a genuine but low-priority local memory-safety bug. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user with access to the netdev generic-netlink family issues a BIND_RX request and deliberately drives the netlink socket into a state where the reply cannot be delivered (for example an already-full receive buffer), causing genlmsg_reply() to fail and the error path to free the reply skb a second time. The resulting double-free corrupts kernel slab state, which a skilled attacker could attempt to shape toward a use-after-free and local privilege escalation. …
Remediation Vendor-released patch: update to a fixed Linux kernel build - 7.0.13, 6.12.94, 6.18.36, or 7.1 (or later) depending on your branch - via the stable-tree commits at https://git.kernel.org/stable/c/9b019376cbee10c4f9184d1745fa37d156e36f30 and the companion commits (c299321bc6232770ce378d6fa6bc46004d2d7fdb, c849de7d8757a7af801fc4a4058f71d481d367f2, e055ca9205d3eb6aec3e5fe4ecc18abbbf18c599); consume the fix through your distribution's kernel update channel. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Scan inventory for systems running Linux kernel 7.1-rc1 through 7.1-rc7 and affected stable branches. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53233 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy