CVE 7.1 HIGH

net: guard timestamp cmsgs to real error queue skbs_CVE-2026-53223

7.1 / 10
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

net: guard timestamp cmsgs to real error queue skbs

skb_is_err_queue() treats PACKET_OUTGOING as the sole marker for an skb
from sk_error_queue. That assumption is not true for AF_PACKET sockets:
outgoing packet taps are also delivered to packet sockets with
skb->pkt_type == PACKET_OUTGOING, but their skb->cb is owned by AF_PACKET
instead of struct sock_exterr_skb.

If such an skb is received with timestamping enabled, the generic
timestamp cmsg path can read AF_PACKET control-buffer state as
sock_exterr_skb::opt_stats. With SO_RXQ_OVFL enabled, the packet drop
counter overlaps opt_stats. An odd drop count makes the path emit
SCM_TIMESTAMPING_OPT_STATS with skb->len and skb->data. For non-linear
skbs this copies past the linear head and can trigger hardened usercopy or
disclose adjacent heap contents.

Keep skb_is_err_queue() local to net/socket.c, but make it verify that
the PACKET_OUTGOING marker is paired with the sock_rmem_free destructor
installed by sock_queue_err_skb(). AF_PACKET receive skbs use normal
receive ownership and no longer pass as error-queue skbs, while legitimate
sk_error_queue entries keep the PACKET_OUTGOING marker and sock_rmem_free
ownership.

Basic Information

ID CVE-2026-53223
Source Linux
Published Jun 25, 2026 at 08:39
Modified Jun 28, 2026 at 06:40

Affected Product

Vendor Linux
Product Linux
Version 8605330aac5a5785630aec8f64378a54891937cc
Affected Versions Linux Linux 8605330aac5a5785630aec8f64378a54891937cc
Linux Linux 8605330aac5a5785630aec8f64378a54891937cc
Linux Linux 8605330aac5a5785630aec8f64378a54891937cc
Linux Linux 8605330aac5a5785630aec8f64378a54891937cc
Linux Linux 8605330aac5a5785630aec8f64378a54891937cc
Linux Linux 8605330aac5a5785630aec8f64378a54891937cc
Linux Linux 8605330aac5a5785630aec8f64378a54891937cc
Linux Linux 8605330aac5a5785630aec8f64378a54891937cc
Linux Linux cdaf15b43bd31003220cb080bcbbd57787a2fca9
Linux Linux 4.10.14
Linux Linux 4.11

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.