Skip to main content

Linux Kernel EUVDEUVD-2026-39327

| CVE-2026-53236 MEDIUM
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-jmmv-2hp7-p7g5
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Side-channel leaks confidential TCP sequence numbers to local unprivileged users, yielding C:H; no integrity or availability impact from passive observation alone.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 08, 2026 - 13:27 vuln.today
CVSS changed
Jul 08, 2026 - 13:22 NVD
5.5 (MEDIUM)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 nvd
MEDIUM 5.5
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

tcp: restrict SO_ATTACH_FILTER to priv users

This patch restricts the use of SO_ATTACH_FILTER (cBPF) on TCP sockets to users with CAP_NET_ADMIN capability.

This blocks potential side-channel attack where an unprivileged application attaches a filter to leak TCP sequence/acknowledgment numbers.

AnalysisAI

TCP socket side-channel information disclosure in the Linux kernel allows unprivileged local users to attach classic BPF (cBPF) filters via SO_ATTACH_FILTER to TCP sockets and observe TCP sequence and acknowledgment numbers, potentially enabling session inference or TCP injection assistance. The vulnerability exists because no capability check was enforced before this patch, which now restricts SO_ATTACH_FILTER on TCP sockets to processes holding CAP_NET_ADMIN. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local unprivileged account
Delivery
Create TCP socket via socket()
Exploit
Attach crafted cBPF filter via setsockopt(SO_ATTACH_FILTER)
Execution
Observe TCP sequence and ack numbers through filter
Impact
Infer session state of targeted connections

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid local user account on the target Linux system (CVSS PR:L, AV:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is moderate-low despite the sensitive nature of the leaked data. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local unprivileged user on a shared Linux server or containerized host creates a TCP socket and calls setsockopt() with SO_ATTACH_FILTER to attach a crafted cBPF program. The filter passively observes traffic on the socket, reading TCP sequence and acknowledgment numbers from the kernel's packet processing path, information that could be used to infer the state of other users' TCP sessions or to assist in crafting TCP reset or injection payloads. …
Remediation Upgrade to a patched Linux kernel stable release: 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1, applying the upstream commits available at https://git.kernel.org/stable/c/. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39327 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy