Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Side-channel leaks confidential TCP sequence numbers to local unprivileged users, yielding C:H; no integrity or availability impact from passive observation alone.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
tcp: restrict SO_ATTACH_FILTER to priv users
This patch restricts the use of SO_ATTACH_FILTER (cBPF) on TCP sockets to users with CAP_NET_ADMIN capability.
This blocks potential side-channel attack where an unprivileged application attaches a filter to leak TCP sequence/acknowledgment numbers.
AnalysisAI
TCP socket side-channel information disclosure in the Linux kernel allows unprivileged local users to attach classic BPF (cBPF) filters via SO_ATTACH_FILTER to TCP sockets and observe TCP sequence and acknowledgment numbers, potentially enabling session inference or TCP injection assistance. The vulnerability exists because no capability check was enforced before this patch, which now restricts SO_ATTACH_FILTER on TCP sockets to processes holding CAP_NET_ADMIN. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid local user account on the target Linux system (CVSS PR:L, AV:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is moderate-low despite the sensitive nature of the leaked data. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local unprivileged user on a shared Linux server or containerized host creates a TCP socket and calls setsockopt() with SO_ATTACH_FILTER to attach a crafted cBPF program. The filter passively observes traffic on the socket, reading TCP sequence and acknowledgment numbers from the kernel's packet processing path, information that could be used to infer the state of other users' TCP sessions or to assist in crafting TCP reset or injection payloads. … |
| Remediation | Upgrade to a patched Linux kernel stable release: 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1, applying the upstream commits available at https://git.kernel.org/stable/c/. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39327
GHSA-jmmv-2hp7-p7g5