Skip to main content

Linux Kernel EUVDEUVD-2026-38732

| CVE-2026-52943 HIGH
Improper Update of Reference Count (CWE-911)
2026-06-24 Linux GHSA-vwrr-994w-h832
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local unprivileged user (AV:L, PR:L) reliably triggers a kernel UAF with no interaction, yielding root and thus full C/I/A impact; scope unchanged as it is same-kernel privilege gain.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 08:29 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
Jun 24, 2026 - 11:01 EUVD
CVE Published
Jun 24, 2026 - 09:00 cve.org
HIGH 7.8
CVE Published
Jun 24, 2026 - 09:00 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net: skbuff: fix missing zerocopy reference in pskb_carve helpers

pskb_carve_inside_header() and pskb_carve_inside_nonlinear() both copy the old skb_shared_info header into a new buffer via memcpy(), which includes the destructor_arg pointer (uarg) for MSG_ZEROCOPY skbs. Neither function calls net_zcopy_get() for the new shinfo, creating an unaccounted holder: every skb_shared_info with destructor_arg set will call skb_zcopy_clear() once when freed, but the corresponding net_zcopy_get() was never called for the new copy. Repeated calls drive uarg->refcnt to zero prematurely, freeing ubuf_info_msgzc while TX skbs still hold live destructor_arg pointers.

KASAN reports use-after-free on a freed ubuf_info_msgzc:

BUG: KASAN: slab-use-after-free in skb_release_data+0x77b/0x810 Read of size 8 at addr ffff88801574d3e8 by task poc/220

Call Trace: skb_release_data+0x77b/0x810 kfree_skb_list_reason+0x13e/0x610 skb_release_data+0x4cd/0x810 sk_skb_reason_drop+0xf3/0x340 skb_queue_purge_reason+0x282/0x440 rds_tcp_inc_free+0x1e/0x30 rds_recvmsg+0x354/0x1780 __sys_recvmsg+0xdf/0x180

Allocated by task 219: msg_zerocopy_realloc+0x157/0x7b0 tcp_sendmsg_locked+0x2892/0x3ba0

Freed by task 219: ip_recv_error+0x74a/0xb10 tcp_recvmsg+0x475/0x530

The skb consuming the late access still referenced the same uarg via shinfo->destructor_arg copied by pskb_carve_inside_nonlinear() without a refcount bump. This has been verified to be reliably exploitable: a working proof-of-concept achieves full root privilege escalation from an unprivileged local user on a default kernel configuration.

The fix follows the pattern of pskb_expand_head() which has the same memcpy/cloned structure. For pskb_carve_inside_header(), net_zcopy_get() is placed after skb_orphan_frags() succeeds, so the orphan error path needs no cleanup. For pskb_carve_inside_nonlinear(), net_zcopy_get() is placed after all failure points and just before skb_release_data(), so no error path needs cleanup at all -- matching pskb_expand_head() more closely and avoiding the need for a balancing net_zcopy_put().

AnalysisAI

Local privilege escalation in the Linux kernel networking stack (skbuff/MSG_ZEROCOPY path) allows an unprivileged local user to gain full root via a use-after-free on ubuf_info_msgzc. The pskb_carve_inside_header() and pskb_carve_inside_nonlinear() helpers memcpy the skb_shared_info (including the zerocopy destructor_arg/uarg pointer) into a new buffer without calling net_zcopy_get(), so the uarg refcount is decremented more times than it was incremented, freeing the ubuf_info while live TX skbs still reference it. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain unprivileged local shell
Delivery
Open zerocopy TX socket (MSG_ZEROCOPY)
Exploit
Trigger pskb_carve copying shinfo without refcount
Install
Drive uarg refcnt to zero, free ubuf_info
C2
Reuse freed object via skb_release_data UAF
Execute
Corrupt kernel memory for write primitive
Impact
Escalate to root

Vulnerability AssessmentAI

Exploitation Requires local code execution as an unprivileged user on the target (AV:L, PR:L) with no user interaction. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All signals point to a genuine, high-priority local kernel bug rather than a paper-high CVSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unprivileged local user logs into a shell on a multi-tenant Linux host and runs a proof-of-concept that crafts socket operations exercising the MSG_ZEROCOPY transmit path together with skb carving (e.g. via TCP send plus error-queue recv and RDS receive), driving a ubuf_info refcount to zero while skbs still reference it. …
Remediation Vendor-released patch: upgrade to a fixed stable kernel - 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.93, 6.18.35, or 7.0.12 (and 7.1+ mainline), matching the branch you run, then reboot to load the patched kernel. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all Linux systems and assess exposure; prioritize those with local user access or shared tenants. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38732 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy