Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Local AF_PACKET access needs CAP_NET_RAW so PR:L; the chained timestamping/SO_RXQ_OVFL/odd-drop/non-linear preconditions justify AC:H; heap disclosure gives C:H and usercopy panic gives A:H, no integrity impact.
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
net: guard timestamp cmsgs to real error queue skbs
skb_is_err_queue() treats PACKET_OUTGOING as the sole marker for an skb from sk_error_queue. That assumption is not true for AF_PACKET sockets: outgoing packet taps are also delivered to packet sockets with skb->pkt_type == PACKET_OUTGOING, but their skb->cb is owned by AF_PACKET instead of struct sock_exterr_skb.
If such an skb is received with timestamping enabled, the generic timestamp cmsg path can read AF_PACKET control-buffer state as sock_exterr_skb::opt_stats. With SO_RXQ_OVFL enabled, the packet drop counter overlaps opt_stats. An odd drop count makes the path emit SCM_TIMESTAMPING_OPT_STATS with skb->len and skb->data. For non-linear skbs this copies past the linear head and can trigger hardened usercopy or disclose adjacent heap contents.
Keep skb_is_err_queue() local to net/socket.c, but make it verify that the PACKET_OUTGOING marker is paired with the sock_rmem_free destructor installed by sock_queue_err_skb(). AF_PACKET receive skbs use normal receive ownership and no longer pass as error-queue skbs, while legitimate sk_error_queue entries keep the PACKET_OUTGOING marker and sock_rmem_free ownership.
AnalysisAI
Local heap disclosure and kernel crash in the Linux kernel networking stack arises because skb_is_err_queue() misidentifies AF_PACKET outgoing-tap skbs as error-queue skbs, letting AF_PACKET control-buffer state be misread as sock_exterr_skb::opt_stats. When timestamping and SO_RXQ_OVFL are enabled, an odd packet-drop counter makes the timestamp cmsg path emit SCM_TIMESTAMPING_OPT_STATS over non-linear skbs, reading past the linear head to leak adjacent kernel heap or trip hardened usercopy (BUG/panic). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a local attacker able to open an AF_PACKET (packet) socket - which normally needs the CAP_NET_RAW capability - and to enable both packet timestamping (SO_TIMESTAMPING) and the SO_RXQ_OVFL socket option on that socket. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are internally consistent and point to a real but bounded local issue rather than an internet-facing emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with CAP_NET_RAW (for example code running in a container granted NET_RAW, or a compromised low-privilege network agent) opens an AF_PACKET socket, enables packet timestamping and SO_RXQ_OVFL, and arranges traffic so a non-linear outgoing tap skb is delivered with an odd drop count. The timestamp cmsg path then emits SCM_TIMESTAMPING_OPT_STATS reading past the linear skb head, leaking adjacent kernel heap to the attacker or tripping hardened usercopy to panic the host. … |
| Remediation | Vendor-released patch: update to a fixed kernel - 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 7.0.13, or mainline 7.1 (or your distribution's equivalent backport), drawn from the git.kernel.org/stable fix commits. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Linux systems in your environment and catalog their kernel versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39314
GHSA-9mph-4hqc-xqx7