xfrm: espintcp: do not reuse an in-progress partial send

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

xfrm: espintcp: do not reuse an in-progress partial send

espintcp keeps a single in-flight transmit in ctx->partial.
Before building a new sk_msg, espintcp_sendmsg() first tries to flush
that state through espintcp_push_msgs().

For blocking callers, espintcp_push_msgs() may return success even when
the previous partial send is still pending. espintcp_sendmsg() would
then reinitialize emsg->skmsg and reuse ctx->partial while the old
transfer still owns that state.

Do not rebuild the send message when ctx->partial is still in progress.
If espintcp_push_msgs() returns with emsg->len still set, fail the new
send instead of overwriting the live partial state.

This is a memory-safety fix: reusing the live partial-send state can
leave a stale offset attached to a new sk_msg and lead to an out-of-
bounds read in the send path.

tcp_sendmsg_locked() already handles waiting for send buffer memory, so
the fix here is just to preserve espintcp's one-message-at-a-time
transmit state.

Basic Information

ID CVE-2026-52935

Source Linux

Published Jun 24, 2026 at 07:14

Modified Jun 28, 2026 at 06:36

Affected Product

Vendor Linux

Product Linux

Version e27cca96cd68fa2c6814c90f9a1cfd36bb68c593

Affected Versions Linux Linux e27cca96cd68fa2c6814c90f9a1cfd36bb68c593
Linux Linux e27cca96cd68fa2c6814c90f9a1cfd36bb68c593
Linux Linux e27cca96cd68fa2c6814c90f9a1cfd36bb68c593
Linux Linux e27cca96cd68fa2c6814c90f9a1cfd36bb68c593
Linux Linux e27cca96cd68fa2c6814c90f9a1cfd36bb68c593
Linux Linux e27cca96cd68fa2c6814c90f9a1cfd36bb68c593
Linux Linux e27cca96cd68fa2c6814c90f9a1cfd36bb68c593
Linux Linux e27cca96cd68fa2c6814c90f9a1cfd36bb68c593
Linux Linux 5.6

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: espintcp: do not reuse an in-progress partial send\n\nespintcp keeps a single in-flight transmit in ctx->partial.\nBefore building a new sk_msg, espintcp_sendmsg() first tries to flush\nthat state through espintcp_push_msgs().\n\nFor blocking callers, espintcp_push_msgs() may return success even when\nthe previous partial send is still pending. espintcp_sendmsg() would\nthen reinitialize emsg->skmsg and reuse ctx->partial while the old\ntransfer still owns that state.\n\nDo not rebuild the send message when ctx->partial is still in progress.\nIf espintcp_push_msgs() returns with emsg->len still set, fail the new\nsend instead of overwriting the live partial state.\n\nThis is a memory-safety fix: reusing the live partial-send state can\nleave a stale offset attached to a new sk_msg and lead to an out-of-\nbounds read in the send path.\n\ntcp_sendmsg_locked() already handles waiting for send buffer memory, so\nthe fix here is just to preserve espintcp's one-message-at-a-time\ntransmit state.",
    "published": "2026-06-24T07:14:25.988Z",
    "modified": "2026-06-28T06:36:56.763Z",
    "type": "cve",
    "title": "xfrm: espintcp: do not reuse an in-progress partial send",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/6564e9c7af7e1dc7bfe7f3093b728abe484d7630\nhttps://git.kernel.org/stable/c/1777ceac4bea5e568a5ad44b7f9bb219c1db21b6\nhttps://git.kernel.org/stable/c/8c6c691bf062dc0753a139a4ab8cb92a70fcf8f3\nhttps://git.kernel.org/stable/c/aa82a078f70f7ff88ba7d1017134e79d1ac140f2\nhttps://git.kernel.org/stable/c/ba21439302db9a82fe4edbed1e38a97271529421\nhttps://git.kernel.org/stable/c/f9b38a8fbfa07f1deaf7ee1eb38fa8b21ea13990\nhttps://git.kernel.org/stable/c/37487d55bf3300e3d2c1368da5c2bd3e3834ea4f\nhttps://git.kernel.org/stable/c/c381039ade2e161ab08c0eda73c4f8b9a7115928",
    "id": "CVE-2026-52935",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux e27cca96cd68fa2c6814c90f9a1cfd36bb68c593\nLinux Linux e27cca96cd68fa2c6814c90f9a1cfd36bb68c593\nLinux Linux e27cca96cd68fa2c6814c90f9a1cfd36bb68c593\nLinux Linux e27cca96cd68fa2c6814c90f9a1cfd36bb68c593\nLinux Linux e27cca96cd68fa2c6814c90f9a1cfd36bb68c593\nLinux Linux e27cca96cd68fa2c6814c90f9a1cfd36bb68c593\nLinux Linux e27cca96cd68fa2c6814c90f9a1cfd36bb68c593\nLinux Linux e27cca96cd68fa2c6814c90f9a1cfd36bb68c593\nLinux Linux 5.6",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

xfrm: espintcp: do not reuse an in-progress partial send_CVE-2026-52935

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply