net: guard timestamp cmsgs to real error queue skbs

7.1 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

net: guard timestamp cmsgs to real error queue skbs

skb_is_err_queue() treats PACKET_OUTGOING as the sole marker for an skb
from sk_error_queue. That assumption is not true for AF_PACKET sockets:
outgoing packet taps are also delivered to packet sockets with
skb->pkt_type == PACKET_OUTGOING, but their skb->cb is owned by AF_PACKET
instead of struct sock_exterr_skb.

If such an skb is received with timestamping enabled, the generic
timestamp cmsg path can read AF_PACKET control-buffer state as
sock_exterr_skb::opt_stats. With SO_RXQ_OVFL enabled, the packet drop
counter overlaps opt_stats. An odd drop count makes the path emit
SCM_TIMESTAMPING_OPT_STATS with skb->len and skb->data. For non-linear
skbs this copies past the linear head and can trigger hardened usercopy or
disclose adjacent heap contents.

Keep skb_is_err_queue() local to net/socket.c, but make it verify that
the PACKET_OUTGOING marker is paired with the sock_rmem_free destructor
installed by sock_queue_err_skb(). AF_PACKET receive skbs use normal
receive ownership and no longer pass as error-queue skbs, while legitimate
sk_error_queue entries keep the PACKET_OUTGOING marker and sock_rmem_free
ownership.

Basic Information

ID CVE-2026-53223

Source Linux

Published Jun 25, 2026 at 08:39

Modified Jun 28, 2026 at 06:40

Affected Product

Vendor Linux

Product Linux

Version 8605330aac5a5785630aec8f64378a54891937cc

Affected Versions Linux Linux 8605330aac5a5785630aec8f64378a54891937cc
Linux Linux 8605330aac5a5785630aec8f64378a54891937cc
Linux Linux 8605330aac5a5785630aec8f64378a54891937cc
Linux Linux 8605330aac5a5785630aec8f64378a54891937cc
Linux Linux 8605330aac5a5785630aec8f64378a54891937cc
Linux Linux 8605330aac5a5785630aec8f64378a54891937cc
Linux Linux 8605330aac5a5785630aec8f64378a54891937cc
Linux Linux 8605330aac5a5785630aec8f64378a54891937cc
Linux Linux cdaf15b43bd31003220cb080bcbbd57787a2fca9
Linux Linux 4.10.14
Linux Linux 4.11

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: guard timestamp cmsgs to real error queue skbs\n\nskb_is_err_queue() treats PACKET_OUTGOING as the sole marker for an skb\nfrom sk_error_queue. That assumption is not true for AF_PACKET sockets:\noutgoing packet taps are also delivered to packet sockets with\nskb->pkt_type == PACKET_OUTGOING, but their skb->cb is owned by AF_PACKET\ninstead of struct sock_exterr_skb.\n\nIf such an skb is received with timestamping enabled, the generic\ntimestamp cmsg path can read AF_PACKET control-buffer state as\nsock_exterr_skb::opt_stats. With SO_RXQ_OVFL enabled, the packet drop\ncounter overlaps opt_stats. An odd drop count makes the path emit\nSCM_TIMESTAMPING_OPT_STATS with skb->len and skb->data. For non-linear\nskbs this copies past the linear head and can trigger hardened usercopy or\ndisclose adjacent heap contents.\n\nKeep skb_is_err_queue() local to net/socket.c, but make it verify that\nthe PACKET_OUTGOING marker is paired with the sock_rmem_free destructor\ninstalled by sock_queue_err_skb(). AF_PACKET receive skbs use normal\nreceive ownership and no longer pass as error-queue skbs, while legitimate\nsk_error_queue entries keep the PACKET_OUTGOING marker and sock_rmem_free\nownership.",
    "published": "2026-06-25T08:39:24.588Z",
    "modified": "2026-06-28T06:40:34.222Z",
    "type": "cve",
    "title": "net: guard timestamp cmsgs to real error queue skbs",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/24a0d548d3a765cd4558224e4f8e06e14cba26e3\nhttps://git.kernel.org/stable/c/71ff5cdd5da61d0438e902aa0fd68c28bc901abe\nhttps://git.kernel.org/stable/c/ad9a0374ee6d11048e1f74cd5180bad58b9848b4\nhttps://git.kernel.org/stable/c/b903e9b5629ec8dd6db92174070045bf81ad7060\nhttps://git.kernel.org/stable/c/e0665b2a8e90bb08bd205062c75662b502d31797\nhttps://git.kernel.org/stable/c/3dde4fb941fa5649ab809f6cd3e20e0c424a4e31\nhttps://git.kernel.org/stable/c/eb51a9ad3ceb01bc6c0fb608dbc856e03ee6f24a\nhttps://git.kernel.org/stable/c/1ee90b77b727df903033db873c75caac5c27ec98",
    "id": "CVE-2026-53223",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 8605330aac5a5785630aec8f64378a54891937cc\nLinux Linux 8605330aac5a5785630aec8f64378a54891937cc\nLinux Linux 8605330aac5a5785630aec8f64378a54891937cc\nLinux Linux 8605330aac5a5785630aec8f64378a54891937cc\nLinux Linux 8605330aac5a5785630aec8f64378a54891937cc\nLinux Linux 8605330aac5a5785630aec8f64378a54891937cc\nLinux Linux 8605330aac5a5785630aec8f64378a54891937cc\nLinux Linux 8605330aac5a5785630aec8f64378a54891937cc\nLinux Linux cdaf15b43bd31003220cb080bcbbd57787a2fca9\nLinux Linux 4.10.14\nLinux Linux 4.11",
    "sourceHref": "",
    "cvss": {
        "score": 7.1,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "8605330aac5a5785630aec8f64378a54891937cc",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

net: guard timestamp cmsgs to real error queue skbs_CVE-2026-53223

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply