Skip to main content

Linux EUVDEUVD-2026-12810

| CVE-2026-23247 MEDIUM
2026-03-18 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
May 21, 2026 - 17:37 NVD
5.5 (MEDIUM)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 18, 2026 - 10:30 euvd
EUVD-2026-12810
Analysis Generated
Mar 18, 2026 - 10:30 vuln.today
CVE Published
Mar 18, 2026 - 10:05 nvd
N/A

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

tcp: secure_seq: add back ports to TS offset

This reverts 28ee1b746f49 ("secure_seq: downgrade to per-host timestamp offsets")

tcp_tw_recycle went away in 2017.

Zhouyan Deng reported off-path TCP source port leakage via SYN cookie side-channel that can be fixed in multiple ways.

One of them is to bring back TCP ports in TS offset randomization.

As a bonus, we perform a single siphash() computation to provide both an ISN and a TS offset.

AnalysisAI

This vulnerability is an information disclosure issue in the Linux kernel's TCP implementation where the timestamp offset calculation was insufficiently randomized, allowing off-path attackers to leak TCP source ports via a SYN cookie side-channel attack. All Linux kernel versions from 4.11 onwards are affected, with confirmed vulnerable versions including Linux 6.18.17, 6.19.7, and 7.0-rc3. An attacker can exploit this to infer source port numbers used in TCP connections without being on the network path, which can facilitate further network-level attacks such as connection hijacking or targeted DoS.

Technical ContextAI

The vulnerability resides in the secure_seq subsystem of the Linux kernel TCP stack, specifically in the randomization mechanism that generates Initial Sequence Numbers (ISN) and timestamp offsets for TCP connections. The root cause is an information disclosure class weakness (CWE category) stemming from insufficient entropy in the timestamp offset computation. Prior to the vulnerable change (commit 28ee1b746f49), TCP ports were included in the TS offset randomization via siphash computation. When this was downgraded to per-host timestamp offsets without port inclusion, it created a side-channel through which SYN cookies could leak source port information. The fix reintroduces ports into the TS offset calculation and performs a single siphash() computation to derive both ISN and TS offset, restoring cryptographic isolation between different port pairs. This affects the Linux kernel across all architectures covered by CPE cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*.

RemediationAI

Apply the upstream Linux kernel fix by upgrading to a patched kernel version that includes commit eae2f14ab2efccdb7480fae7d42c4b0116ef8805 or later stable releases (6.18.17, 6.19.7, or 7.0-rc3 and newer). Linux distributions including Debian, Ubuntu, Red Hat, and SUSE have released or will release kernel security updates addressing this vulnerability—check your distribution's security advisories and apply kernel updates through your standard patch management process (apt, dnf, zypper, etc.). For systems unable to patch immediately, implement defense-in-depth network controls: enforce strong firewall rules that limit TCP connection establishment to known good sources, implement TCP connection tracking at the edge, and consider deploying intrusion detection systems (IDS) tuned to detect port prediction attacks. However, no effective workaround exists short of kernel patching, as the vulnerability is in the core TCP stack itself. Prioritize patching within your standard maintenance windows but do not delay beyond your next scheduled kernel update cycle.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye vulnerable 5.10.223-1 -
bullseye (security) vulnerable 5.10.251-1 -
bookworm vulnerable 6.1.159-1 -
bookworm (security) vulnerable 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky vulnerable 6.19.6-2 -
sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-12810 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy