net: skbuff: fix missing zerocopy reference in pskb_carve helpers

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

net: skbuff: fix missing zerocopy reference in pskb_carve helpers

pskb_carve_inside_header() and pskb_carve_inside_nonlinear() both copy
the old skb_shared_info header into a new buffer via memcpy(), which
includes the destructor_arg pointer (uarg) for MSG_ZEROCOPY skbs.
Neither function calls net_zcopy_get() for the new shinfo, creating an
unaccounted holder: every skb_shared_info with destructor_arg set will
call skb_zcopy_clear() once when freed, but the corresponding
net_zcopy_get() was never called for the new copy. Repeated calls
drive uarg->refcnt to zero prematurely, freeing ubuf_info_msgzc while
TX skbs still hold live destructor_arg pointers.

KASAN reports use-after-free on a freed ubuf_info_msgzc:

BUG: KASAN: slab-use-after-free in skb_release_data+0x77b/0x810
Read of size 8 at addr ffff88801574d3e8 by task poc/220

Call Trace:
skb_release_data+0x77b/0x810
kfree_skb_list_reason+0x13e/0x610
skb_release_data+0x4cd/0x810
sk_skb_reason_drop+0xf3/0x340
skb_queue_purge_reason+0x282/0x440
rds_tcp_inc_free+0x1e/0x30
rds_recvmsg+0x354/0x1780
__sys_recvmsg+0xdf/0x180

Allocated by task 219:
msg_zerocopy_realloc+0x157/0x7b0
tcp_sendmsg_locked+0x2892/0x3ba0

Freed by task 219:
ip_recv_error+0x74a/0xb10
tcp_recvmsg+0x475/0x530

The skb consuming the late access still referenced the same uarg via
shinfo->destructor_arg copied by pskb_carve_inside_nonlinear() without
a refcount bump. This has been verified to be reliably exploitable: a
working proof-of-concept achieves full root privilege escalation from
an unprivileged local user on a default kernel configuration.

The fix follows the pattern of pskb_expand_head() which has the same
memcpy/cloned structure. For pskb_carve_inside_header(), net_zcopy_get()
is placed after skb_orphan_frags() succeeds, so the orphan error path
needs no cleanup. For pskb_carve_inside_nonlinear(), net_zcopy_get() is
placed after all failure points and just before skb_release_data(), so
no error path needs cleanup at all -- matching pskb_expand_head() more
closely and avoiding the need for a balancing net_zcopy_put().

Basic Information

ID CVE-2026-52943

Source Linux

Published Jun 24, 2026 at 09:00

Modified Jun 28, 2026 at 06:37

Affected Product

Vendor Linux

Product Linux

Version 6fa01ccd883021105e9f8af7d04b9f156fa3494a

Affected Versions Linux Linux 6fa01ccd883021105e9f8af7d04b9f156fa3494a
Linux Linux 6fa01ccd883021105e9f8af7d04b9f156fa3494a
Linux Linux 6fa01ccd883021105e9f8af7d04b9f156fa3494a
Linux Linux 6fa01ccd883021105e9f8af7d04b9f156fa3494a
Linux Linux 6fa01ccd883021105e9f8af7d04b9f156fa3494a
Linux Linux 6fa01ccd883021105e9f8af7d04b9f156fa3494a
Linux Linux 6fa01ccd883021105e9f8af7d04b9f156fa3494a
Linux Linux 6fa01ccd883021105e9f8af7d04b9f156fa3494a
Linux Linux 4.7

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: skbuff: fix missing zerocopy reference in pskb_carve helpers\n\npskb_carve_inside_header() and pskb_carve_inside_nonlinear() both copy\nthe old skb_shared_info header into a new buffer via memcpy(), which\nincludes the destructor_arg pointer (uarg) for MSG_ZEROCOPY skbs.\nNeither function calls net_zcopy_get() for the new shinfo, creating an\nunaccounted holder: every skb_shared_info with destructor_arg set will\ncall skb_zcopy_clear() once when freed, but the corresponding\nnet_zcopy_get() was never called for the new copy. Repeated calls\ndrive uarg->refcnt to zero prematurely, freeing ubuf_info_msgzc while\nTX skbs still hold live destructor_arg pointers.\n\nKASAN reports use-after-free on a freed ubuf_info_msgzc:\n\n  BUG: KASAN: slab-use-after-free in skb_release_data+0x77b/0x810\n  Read of size 8 at addr ffff88801574d3e8 by task poc/220\n\n  Call Trace:\n   skb_release_data+0x77b/0x810\n   kfree_skb_list_reason+0x13e/0x610\n   skb_release_data+0x4cd/0x810\n   sk_skb_reason_drop+0xf3/0x340\n   skb_queue_purge_reason+0x282/0x440\n   rds_tcp_inc_free+0x1e/0x30\n   rds_recvmsg+0x354/0x1780\n   __sys_recvmsg+0xdf/0x180\n\n  Allocated by task 219:\n   msg_zerocopy_realloc+0x157/0x7b0\n   tcp_sendmsg_locked+0x2892/0x3ba0\n\n  Freed by task 219:\n   ip_recv_error+0x74a/0xb10\n   tcp_recvmsg+0x475/0x530\n\nThe skb consuming the late access still referenced the same uarg via\nshinfo->destructor_arg copied by pskb_carve_inside_nonlinear() without\na refcount bump. This has been verified to be reliably exploitable: a\nworking proof-of-concept achieves full root privilege escalation from\nan unprivileged local user on a default kernel configuration.\n\nThe fix follows the pattern of pskb_expand_head() which has the same\nmemcpy/cloned structure. For pskb_carve_inside_header(), net_zcopy_get()\nis placed after skb_orphan_frags() succeeds, so the orphan error path\nneeds no cleanup. For pskb_carve_inside_nonlinear(), net_zcopy_get() is\nplaced after all failure points and just before skb_release_data(), so\nno error path needs cleanup at all -- matching pskb_expand_head() more\nclosely and avoiding the need for a balancing net_zcopy_put().",
    "published": "2026-06-24T09:00:12.292Z",
    "modified": "2026-06-28T06:37:01.760Z",
    "type": "cve",
    "title": "net: skbuff: fix missing zerocopy reference in pskb_carve helpers",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/8dbed691e43a50903658130bde0fcb5abc425b37\nhttps://git.kernel.org/stable/c/9b40bdc2a3298225dffab8158208a0d8c6300578\nhttps://git.kernel.org/stable/c/fd470f0a97b8e9a125f520265d2f3b088ffb5b8a\nhttps://git.kernel.org/stable/c/ceafb893b12f23331dcc5ff9587e643c3a40ee9f\nhttps://git.kernel.org/stable/c/2e0e74c59b2761a414d9f48d7bee1e45220b2427\nhttps://git.kernel.org/stable/c/96a4713ae041cc85e712bac682cd2e644004d6c6\nhttps://git.kernel.org/stable/c/474d6c771d798bca84f0a140b611e36743511e18\nhttps://git.kernel.org/stable/c/98d0912e9f841e5529a5b89a972805f34cb1c69d",
    "id": "CVE-2026-52943",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 6fa01ccd883021105e9f8af7d04b9f156fa3494a\nLinux Linux 6fa01ccd883021105e9f8af7d04b9f156fa3494a\nLinux Linux 6fa01ccd883021105e9f8af7d04b9f156fa3494a\nLinux Linux 6fa01ccd883021105e9f8af7d04b9f156fa3494a\nLinux Linux 6fa01ccd883021105e9f8af7d04b9f156fa3494a\nLinux Linux 6fa01ccd883021105e9f8af7d04b9f156fa3494a\nLinux Linux 6fa01ccd883021105e9f8af7d04b9f156fa3494a\nLinux Linux 6fa01ccd883021105e9f8af7d04b9f156fa3494a\nLinux Linux 4.7",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "6fa01ccd883021105e9f8af7d04b9f156fa3494a",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

net: skbuff: fix missing zerocopy reference in pskb_carve helpers_CVE-2026-52943

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply