7.1

CVE-2026-53223

net: guard timestamp cmsgs to real error queue skbs

In the Linux kernel, the following vulnerability has been resolved:

net: guard timestamp cmsgs to real error queue skbs

skb_is_err_queue() treats PACKET_OUTGOING as the sole marker for an skb
from sk_error_queue. That assumption is not true for AF_PACKET sockets:
outgoing packet taps are also delivered to packet sockets with
skb->pkt_type == PACKET_OUTGOING, but their skb->cb is owned by AF_PACKET
instead of struct sock_exterr_skb.

If such an skb is received with timestamping enabled, the generic
timestamp cmsg path can read AF_PACKET control-buffer state as
sock_exterr_skb::opt_stats. With SO_RXQ_OVFL enabled, the packet drop
counter overlaps opt_stats. An odd drop count makes the path emit
SCM_TIMESTAMPING_OPT_STATS with skb->len and skb->data. For non-linear
skbs this copies past the linear head and can trigger hardened usercopy or
disclose adjacent heap contents.

Keep skb_is_err_queue() local to net/socket.c, but make it verify that
the PACKET_OUTGOING marker is paired with the sock_rmem_free destructor
installed by sock_queue_err_skb(). AF_PACKET receive skbs use normal
receive ownership and no longer pass as error-queue skbs, while legitimate
sk_error_queue entries keep the PACKET_OUTGOING marker and sock_rmem_free
ownership.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 4.10.14 < 4.11
LinuxLinux Kernel Version >= 4.11.1 < 5.10.259
LinuxLinux Kernel Version >= 5.11 < 5.15.210
LinuxLinux Kernel Version >= 5.16 < 6.1.176
LinuxLinux Kernel Version >= 6.2 < 6.6.143
LinuxLinux Kernel Version >= 6.7 < 6.12.94
LinuxLinux Kernel Version >= 6.13 < 6.18.36
LinuxLinux Kernel Version >= 6.19 < 7.0.13
LinuxLinux Kernel Version4.11 Update-
LinuxLinux Kernel Version4.11 Updaterc4
LinuxLinux Kernel Version4.11 Updaterc5
LinuxLinux Kernel Version4.11 Updaterc6
LinuxLinux Kernel Version4.11 Updaterc7
LinuxLinux Kernel Version4.11 Updaterc8
LinuxLinux Kernel Version7.1 Updaterc1
LinuxLinux Kernel Version7.1 Updaterc2
LinuxLinux Kernel Version7.1 Updaterc3
LinuxLinux Kernel Version7.1 Updaterc4
LinuxLinux Kernel Version7.1 Updaterc5
LinuxLinux Kernel Version7.1 Updaterc6
LinuxLinux Kernel Version7.1 Updaterc7
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.13% 0.031
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
416baaa9-dc9f-4396-8d5f-8c081fb06d67 7.1 1.8 5.2
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Es wurden noch keine Informationen zu CWE veröffentlicht.
https://git.kernel.org/stable/c/24a0d548d3a765cd4558224e4f8e06e14cba26e3
Patch
https://git.kernel.org/stable/c/71ff5cdd5da61d0438e902aa0fd68c28bc901abe
Patch
https://git.kernel.org/stable/c/ad9a0374ee6d11048e1f74cd5180bad58b9848b4
Patch
https://git.kernel.org/stable/c/b903e9b5629ec8dd6db92174070045bf81ad7060
Patch
https://git.kernel.org/stable/c/e0665b2a8e90bb08bd205062c75662b502d31797
Patch
https://git.kernel.org/stable/c/3dde4fb941fa5649ab809f6cd3e20e0c424a4e31
Patch
https://git.kernel.org/stable/c/eb51a9ad3ceb01bc6c0fb608dbc856e03ee6f24a
Patch
https://git.kernel.org/stable/c/1ee90b77b727df903033db873c75caac5c27ec98
Patch