Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local AF_XDP access needs privilege (PR:L) and exploitation hinges on winning a narrow TOCTOU race (AC:H); kernel memory corruption yields full C:H/I:H/A:H.
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
xsk: cache csum_start/csum_offset to fix TOCTOU in xsk_skb_metadata()
The TX metadata area resides in the UMEM buffer which is memory-mapped and concurrently writable by userspace. In xsk_skb_metadata(), csum_start and csum_offset are read from shared memory for bounds validation, then read again for skb assignment. A malicious userspace application can race to overwrite these values between the two reads, bypassing the bounds check and causing out-of-bounds memory access during checksum computation in the transmit path.
Fix this by reading csum_start and csum_offset into local variables once, then using the local copies for both validation and assignment.
Note that other metadata fields (flags, launch_time) and the cached csum fields may be mutually inconsistent due to concurrent userspace writes, but this is benign: the only security-critical invariant is that each field's validated value is the same one used, which local caching guarantees.
AnalysisAI
Out-of-bounds kernel memory access in the Linux kernel's AF_XDP (xsk) transmit path allows a local low-privileged process to bypass bounds checking on TX checksum metadata. Because csum_start/csum_offset live in a userspace-mapped UMEM buffer, a malicious application could race to overwrite them between the validation read and the assignment read in xsk_skb_metadata(), defeating the bounds check during checksum computation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires local code execution and the ability to create an AF_XDP (XDP socket) transmit path with TX checksum-offload metadata enabled - i.e. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are coherent and point to a real but locally-scoped issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local attacker (or untrusted containerized workload) with permission to create an AF_XDP socket sets up a TX UMEM ring with checksum-offload metadata, then runs a second thread that continuously rewrites csum_start/csum_offset in the shared UMEM buffer. By timing writes to land between the kernel's validation read and its use read, the attacker slips an out-of-bounds offset past the bounds check, corrupting kernel memory during checksum computation to crash the host or pursue privilege escalation. … |
| Remediation | Vendor-released patch: upgrade to a fixed stable kernel - 6.18.36, 7.0.13, or 7.1 (or later) - which snapshots csum_start/csum_offset into local variables before validation. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Query systems and container images for vulnerable Linux kernel versions; consult vendor security advisories (Red Hat, Canonical, etc.) for specific patched versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39201
GHSA-cx83-hxfr-m85v