tipc: fix double-free in tipc_buf_append()_CVE-2026-52993

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

tipc: fix double-free in tipc_buf_append()

tipc_msg_validate() can potentially reallocate the skb it is validating,
freeing the old one. In tipc_buf_append(), it was being called with a
pointer to a local variable which was a copy of the caller's skb
pointer.

If the skb was reallocated and validation subsequently failed, the error
handling path would free the original skb pointer, which had already
been freed, leading to double-free.

Fix this by checking if head now points to a newly allocated reassembled
skb. If it does, reassign *headbuf for later freeing operations.

AI Analysis

Double-free vulnerability in the Linux kernel's tipc_buf_append() function

Basic Information

ID CVE-2026-52993

Source Linux

Published Jun 24, 2026 at 16:29

Modified Jun 28, 2026 at 06:37

Affected Product

Vendor Linux

Product Linux

Version d618d09a68e4eed7a435beb2e355250f6f40664a

Affected Versions Linux Linux d618d09a68e4eed7a435beb2e355250f6f40664a
Linux Linux d618d09a68e4eed7a435beb2e355250f6f40664a
Linux Linux d618d09a68e4eed7a435beb2e355250f6f40664a
Linux Linux d618d09a68e4eed7a435beb2e355250f6f40664a
Linux Linux d618d09a68e4eed7a435beb2e355250f6f40664a
Linux Linux d618d09a68e4eed7a435beb2e355250f6f40664a
Linux Linux d618d09a68e4eed7a435beb2e355250f6f40664a
Linux Linux d618d09a68e4eed7a435beb2e355250f6f40664a
Linux Linux 4.15

AI Assessment

AI Score 9.8 / 10

AI Severity Critical

Vendor Linux

Product Linux Kernel

Version d618d09a68e4eed7a435beb2e355250f6f40664a, 4.15

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix double-free in tipc_buf_append()\n\ntipc_msg_validate() can potentially reallocate the skb it is validating,\nfreeing the old one.  In tipc_buf_append(), it was being called with a\npointer to a local variable which was a copy of the caller's skb\npointer.\n\nIf the skb was reallocated and validation subsequently failed, the error\nhandling path would free the original skb pointer, which had already\nbeen freed, leading to double-free.\n\nFix this by checking if head now points to a newly allocated reassembled\nskb.  If it does, reassign *headbuf for later freeing operations.",
    "published": "2026-06-24T16:29:06.475Z",
    "modified": "2026-06-28T06:37:46.811Z",
    "type": "cve",
    "title": "tipc: fix double-free in tipc_buf_append()",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/a438975a6dcdbd70865978c021650d1485586f0b\nhttps://git.kernel.org/stable/c/4ee4deadaae7cb2e3d53af0fc889cf92a73413c0\nhttps://git.kernel.org/stable/c/d3556656c6daebf8def751c7e71d11dd0a180d24\nhttps://git.kernel.org/stable/c/0274f24485fc38032d4093e463dc3ff5c7a667c9\nhttps://git.kernel.org/stable/c/4d104882bc815d4ec666ace9155f5f52715879a6\nhttps://git.kernel.org/stable/c/1d5e589055880fae229e229e1929e087dbe08cf3\nhttps://git.kernel.org/stable/c/29940fff14110ca48c5ccc168d121665b51bb778\nhttps://git.kernel.org/stable/c/d293ca716e7d5dffdaecaf6b9b2f857a33dc3d3a",
    "id": "CVE-2026-52993",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux d618d09a68e4eed7a435beb2e355250f6f40664a\nLinux Linux d618d09a68e4eed7a435beb2e355250f6f40664a\nLinux Linux d618d09a68e4eed7a435beb2e355250f6f40664a\nLinux Linux d618d09a68e4eed7a435beb2e355250f6f40664a\nLinux Linux d618d09a68e4eed7a435beb2e355250f6f40664a\nLinux Linux d618d09a68e4eed7a435beb2e355250f6f40664a\nLinux Linux d618d09a68e4eed7a435beb2e355250f6f40664a\nLinux Linux d618d09a68e4eed7a435beb2e355250f6f40664a\nLinux Linux 4.15",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "d618d09a68e4eed7a435beb2e355250f6f40664a",
    "vendor": "Linux",
    "ai_description": "Double-free vulnerability in the Linux kernel's tipc_buf_append() function",
    "ai_severity": "Critical",
    "ai_vendor": "Linux",
    "ai_product": "Linux Kernel",
    "ai_version": "d618d09a68e4eed7a435beb2e355250f6f40664a, 4.15",
    "ai_score": 9.8
}