CVE-2026-23048 - Vulnerability Details

- udp: call skb_orphan() before skb_attempt_defer_free()

Description

In the Linux kernel, the following vulnerability has been resolved:

udp: call skb_orphan() before skb_attempt_defer_free()

Standard UDP receive path does not use skb->destructor.

But skmsg layer does use it, since it calls skb_set_owner_sk_safe()
from udp_read_skb().

This then triggers this warning in skb_attempt_defer_free():

DEBUG_NET_WARN_ON_ONCE(skb->destructor);

We must call skb_orphan() to fix this issue.

Published: 2026-02-04

Score: 7.0 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw arises from a mismatch in the handling of socket buffers during UDP packet reception. The path does not invoke the skb->destructor field, while the skmsg layer does, leading to a defensive warning in skb_attempt_defer_free(). This discrepancy can result in a double free or use‑after‑free condition, classified as CWE‑416, and may corrupt kernel memory. If exploited, an attacker could potentially gain elevated privileges or crash the operating system.

Affected Systems

The vulnerability is present in the Linux kernel itself. Vendors and product families include Linux: Linux kernel, covering all compiled kernel images built from the mainline source. No explicit build or version range is specified, so any kernel that has not applied the upstream patch may be susceptible until updated.

Risk and Exploitability

The CVSS score of 7.0 indicates a high severity vulnerability, yet the EPSS score of less than 1% suggests that exploitation in the wild is currently very unlikely. The flaw is not listed in the CISA KEV catalog, further supporting the low deployment risk. The most probable attack vector is remote, using crafted UDP packets that reach processes handling network traffic. Exploitation would likely require precise timing and could demand that the attacker has network connectivity to the target system or access to services that observe UDP traffic. Even so, a successful exploit would result in kernel memory corruption, potentially allowing privilege escalation or denial of service.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`6471658dc66c670580a7616e75f51b52917e7883`	affected	< 0c63d5683eae6a7b4d81382bcbecb2a19feff90d
`6471658dc66c670580a7616e75f51b52917e7883`	affected	< e5c8eda39a9fc1547d1398d707aa06c1d080abdd

Linux

affected

Version	Status	Constraints
`6.18`	affected	—
`0`	unaffected	< 6.18
`6.18.6`	unaffected	≤ 6.18.*
`6.19`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a release that includes the CVE-2026-23048 fix
Reboot the system to load the updated kernel
If immediate patching is not feasible, limit or filter UDP traffic to non‑essential ports to reduce exposure

Generated by OpenCVE AI on April 18, 2026 at 19:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00027.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0c63d5683eae6a7b4d81382bcbecb2a19feff90d
https://git.kernel.org/stable/c/e5c8eda39a9fc1547d1398d707aa06c1d080abdd
https://lore.kernel.org/linux-cve-announce/2026020441-CVE-2026-23048-f1cc@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23048
https://www.cve.org/CVERecord?id=CVE-2026-23048

History

Sat, 18 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Thu, 05 Feb 2026 12:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026020441-CVE-2026-23048-f1cc@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23048 https://www.cve.org/CVERecord?id=CVE-2026-23048
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Important`

Wed, 04 Feb 2026 16:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: udp: call skb_orphan() before skb_attempt_defer_free() Standard UDP receive path does not use skb->destructor. But skmsg layer does use it, since it calls skb_set_owner_sk_safe() from udp_read_skb(). This then triggers this warning in skb_attempt_defer_free(): DEBUG_NET_WARN_ON_ONCE(skb->destructor); We must call skb_orphan() to fix this issue.
Title		udp: call skb_orphan() before skb_attempt_defer_free()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0c63d5683eae6a7b4d81382bcbecb2a19feff90d https://git.kernel.org/stable/c/e5c8eda39a9fc1547d1398d707aa06c1d080abdd

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-02-04T16:00:30.232Z

Updated: 2026-02-09T08:37:43.601Z

Reserved: 2026-01-13T15:37:45.949Z

Link: CVE-2026-23048

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2026-02-04T16:16:20.343

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-23048

Redhat

Severity : Important

Publid Date: 2026-02-04T00:00:00Z

Links: CVE-2026-23048 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-18T20:00:09Z

Weaknesses

CWE-416

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object