Skip to main content

Linux Kernel EUVDEUVD-2026-39201

| CVE-2026-53250 HIGH
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-cx83-hxfr-m85v
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local AF_XDP access needs privilege (PR:L) and exploitation hinges on winning a narrow TOCTOU race (AC:H); kernel memory corruption yields full C:H/I:H/A:H.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:44 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
HIGH 7.8
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

xsk: cache csum_start/csum_offset to fix TOCTOU in xsk_skb_metadata()

The TX metadata area resides in the UMEM buffer which is memory-mapped and concurrently writable by userspace. In xsk_skb_metadata(), csum_start and csum_offset are read from shared memory for bounds validation, then read again for skb assignment. A malicious userspace application can race to overwrite these values between the two reads, bypassing the bounds check and causing out-of-bounds memory access during checksum computation in the transmit path.

Fix this by reading csum_start and csum_offset into local variables once, then using the local copies for both validation and assignment.

Note that other metadata fields (flags, launch_time) and the cached csum fields may be mutually inconsistent due to concurrent userspace writes, but this is benign: the only security-critical invariant is that each field's validated value is the same one used, which local caching guarantees.

AnalysisAI

Out-of-bounds kernel memory access in the Linux kernel's AF_XDP (xsk) transmit path allows a local low-privileged process to bypass bounds checking on TX checksum metadata. Because csum_start/csum_offset live in a userspace-mapped UMEM buffer, a malicious application could race to overwrite them between the validation read and the assignment read in xsk_skb_metadata(), defeating the bounds check during checksum computation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local execution with AF_XDP socket access
Delivery
Set up TX UMEM ring with csum metadata
Exploit
Race-overwrite csum_start/csum_offset in shared buffer
Execution
Bypass bounds check on second read
Persist
Trigger out-of-bounds access in checksum path
Impact
Corrupt kernel memory for crash or escalation

Vulnerability AssessmentAI

Exploitation Requires local code execution and the ability to create an AF_XDP (XDP socket) transmit path with TX checksum-offload metadata enabled - i.e. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are coherent and point to a real but locally-scoped issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local attacker (or untrusted containerized workload) with permission to create an AF_XDP socket sets up a TX UMEM ring with checksum-offload metadata, then runs a second thread that continuously rewrites csum_start/csum_offset in the shared UMEM buffer. By timing writes to land between the kernel's validation read and its use read, the attacker slips an out-of-bounds offset past the bounds check, corrupting kernel memory during checksum computation to crash the host or pursue privilege escalation. …
Remediation Vendor-released patch: upgrade to a fixed stable kernel - 6.18.36, 7.0.13, or 7.1 (or later) - which snapshots csum_start/csum_offset into local variables before validation. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Query systems and container images for vulnerable Linux kernel versions; consult vendor security advisories (Red Hat, Canonical, etc.) for specific patched versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39201 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy