Skip to main content

Linux Kernel EUVDEUVD-2026-39314

| CVE-2026-53223 HIGH
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-9mph-4hqc-xqx7
7.1
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
vuln.today AI
6.3 MEDIUM

Local AF_PACKET access needs CAP_NET_RAW so PR:L; the chained timestamping/SO_RXQ_OVFL/odd-drop/non-linear preconditions justify AC:H; heap disclosure gives C:H and usercopy panic gives A:H, no integrity impact.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:37 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.1 (HIGH)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 09:16 cve.org
HIGH 7.1

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net: guard timestamp cmsgs to real error queue skbs

skb_is_err_queue() treats PACKET_OUTGOING as the sole marker for an skb from sk_error_queue. That assumption is not true for AF_PACKET sockets: outgoing packet taps are also delivered to packet sockets with skb->pkt_type == PACKET_OUTGOING, but their skb->cb is owned by AF_PACKET instead of struct sock_exterr_skb.

If such an skb is received with timestamping enabled, the generic timestamp cmsg path can read AF_PACKET control-buffer state as sock_exterr_skb::opt_stats. With SO_RXQ_OVFL enabled, the packet drop counter overlaps opt_stats. An odd drop count makes the path emit SCM_TIMESTAMPING_OPT_STATS with skb->len and skb->data. For non-linear skbs this copies past the linear head and can trigger hardened usercopy or disclose adjacent heap contents.

Keep skb_is_err_queue() local to net/socket.c, but make it verify that the PACKET_OUTGOING marker is paired with the sock_rmem_free destructor installed by sock_queue_err_skb(). AF_PACKET receive skbs use normal receive ownership and no longer pass as error-queue skbs, while legitimate sk_error_queue entries keep the PACKET_OUTGOING marker and sock_rmem_free ownership.

AnalysisAI

Local heap disclosure and kernel crash in the Linux kernel networking stack arises because skb_is_err_queue() misidentifies AF_PACKET outgoing-tap skbs as error-queue skbs, letting AF_PACKET control-buffer state be misread as sock_exterr_skb::opt_stats. When timestamping and SO_RXQ_OVFL are enabled, an odd packet-drop counter makes the timestamp cmsg path emit SCM_TIMESTAMPING_OPT_STATS over non-linear skbs, reading past the linear head to leak adjacent kernel heap or trip hardened usercopy (BUG/panic). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain CAP_NET_RAW in local context
Delivery
Open AF_PACKET socket, enable timestamping + SO_RXQ_OVFL
Exploit
Induce non-linear outgoing tap skb with odd drop count
Execution
Trigger SCM_TIMESTAMPING_OPT_STATS over-read
Impact
Leak adjacent kernel heap or panic via hardened usercopy

Vulnerability AssessmentAI

Exploitation Exploitation requires a local attacker able to open an AF_PACKET (packet) socket - which normally needs the CAP_NET_RAW capability - and to enable both packet timestamping (SO_TIMESTAMPING) and the SO_RXQ_OVFL socket option on that socket. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are internally consistent and point to a real but bounded local issue rather than an internet-facing emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with CAP_NET_RAW (for example code running in a container granted NET_RAW, or a compromised low-privilege network agent) opens an AF_PACKET socket, enables packet timestamping and SO_RXQ_OVFL, and arranges traffic so a non-linear outgoing tap skb is delivered with an odd drop count. The timestamp cmsg path then emits SCM_TIMESTAMPING_OPT_STATS reading past the linear skb head, leaking adjacent kernel heap to the attacker or tripping hardened usercopy to panic the host. …
Remediation Vendor-released patch: update to a fixed kernel - 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 7.0.13, or mainline 7.1 (or your distribution's equivalent backport), drawn from the git.kernel.org/stable fix commits. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Linux systems in your environment and catalog their kernel versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39314 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy