CVE-2026-23247 - Vulnerability Details

- tcp: secure_seq: add back ports to TS offset

Description

In the Linux kernel, the following vulnerability has been resolved:

tcp: secure_seq: add back ports to TS offset

This reverts 28ee1b746f49 ("secure_seq: downgrade to per-host timestamp offsets")

tcp_tw_recycle went away in 2017.

Zhouyan Deng reported off-path TCP source port leakage via
SYN cookie side-channel that can be fixed in multiple ways.

One of them is to bring back TCP ports in TS offset randomization.

As a bonus, we perform a single siphash() computation
to provide both an ISN and a TS offset.

Published: 2026-03-18

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel change that re‑introduced TCP source port values into secure‑sequence number randomization unintentionally enables an off‑path attacker to recover the client’s source port via a timing side‑channel on the SYN‑cookie response. By measuring slight differences in the time it takes for the kernel to generate the SYN‑cookie and its accompanying timestamp offset, the attacker can infer the original source port. This information can help bypass port‑based filtering, enable more targeted scans, and serve as a foothold for further network attacks. The flaw does not provide direct code execution or memory corruption; it merely leaks data.

Affected Systems

All Linux kernel builds that contain the commit that removed per‑host port data from the secure‑sequence number calculation (identified by commit 28ee1b746f49) and have not yet applied the revert that restores that data are vulnerable. In practice this covers every distribution that shipped a kernel version before the revert was merged. The affected product is simply the "Linux kernel" across all vendors that ship it.

Risk and Exploitability

The CVSS base score of 5.5 indicates a moderate severity, and the EPSS score of less than 1 % suggests a low overall probability of exploitation. The attack requires an off‑path observer with precise timing capabilities to measure SYN‑cookie response times, a condition that limits the attack surface but still makes the disclosed information valuable. The vulnerability is not listed in the CISA KEV catalog, but because the leaked data can aid in port‑scanning and threat propagation, administrators should consider it a high‑priority defensive requirement for systems exposed to the Internet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`28ee1b746f493b7c62347d714f58fbf4f70df4f0`	affected	< eae2f14ab2efccdb7480fae7d42c4b0116ef8805
`28ee1b746f493b7c62347d714f58fbf4f70df4f0`	affected	< 46e5b0d7cf55821527adea471ffe52a5afbd9caf
`28ee1b746f493b7c62347d714f58fbf4f70df4f0`	affected	< 165573e41f2f66ef98940cf65f838b2cb575d9d1
`443fac9f2618b93cbc5ab068dc594530236b3a23`	affected	—

Linux

affected

Version	Status	Constraints
`4.11`	affected	—
`0`	unaffected	< 4.11
`6.18.17`	unaffected	≤ 6.18.*
`6.19.7`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[28ee1b746f493b7c62347d714f58fbf4f70df4f0,eae2f14ab2efccdb7480fae7d42c4b0116ef8805)`	affected	code_commit	—
`[28ee1b746f493b7c62347d714f58fbf4f70df4f0,46e5b0d7cf55821527adea471ffe52a5afbd9caf)`	affected	code_commit	—
`[28ee1b746f493b7c62347d714f58fbf4f70df4f0,165573e41f2f66ef98940cf65f838b2cb575d9d1)`	affected	code_commit	—
`443fac9f2618b93cbc5ab068dc594530236b3a23`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`4.11`	affected	generic	—
`[0,4.11)`	unaffected	generic	—
`[6.18.17,6.19.0)`	unaffected	semver	—
`[6.19.7,6.20.0)`	unaffected	semver	—
`[7.0-rc3,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the kernel to a release that includes the revert commit restoring port data in secure_seq; use the most recent kernel provided by your distribution.
Verify that the running kernel contains the commit that re‑introduces port usage by inspecting the source or kernel version string.
If a kernel update cannot be performed promptly, disable SYN cookies by setting net.ipv4.tcp_syncookies=0 in sysctl configuration or via sysctl -w net.ipv4.tcp_syncookies=0.

Generated by OpenCVE AI on March 26, 2026 at 05:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00022.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/165573e41f2f66ef98940cf65f838b2cb575d9d1
https://git.kernel.org/stable/c/46e5b0d7cf55821527adea471ffe52a5afbd9caf
https://git.kernel.org/stable/c/eae2f14ab2efccdb7480fae7d42c4b0116ef8805
https://lore.kernel.org/linux-cve-announce/2026031818-CVE-2026-23247-07b3@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23247
https://www.cve.org/CVERecord?id=CVE-2026-23247

History

Wed, 25 Mar 2026 22:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-200 CWE-790

Wed, 25 Mar 2026 15:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-200 CWE-790

Wed, 25 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-200

Tue, 24 Mar 2026 13:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-200

Thu, 19 Mar 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026031818-CVE-2026-23247-07b3@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23247 https://www.cve.org/CVERecord?id=CVE-2026-23247
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Low`

Wed, 18 Mar 2026 10:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: tcp: secure_seq: add back ports to TS offset This reverts 28ee1b746f49 ("secure_seq: downgrade to per-host timestamp offsets") tcp_tw_recycle went away in 2017. Zhouyan Deng reported off-path TCP source port leakage via SYN cookie side-channel that can be fixed in multiple ways. One of them is to bring back TCP ports in TS offset randomization. As a bonus, we perform a single siphash() computation to provide both an ISN and a TS offset.
Title		tcp: secure_seq: add back ports to TS offset
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/165573e41f2f66ef98940cf65f838b2cb575d9d1 https://git.kernel.org/stable/c/46e5b0d7cf55821527adea471ffe52a5afbd9caf https://git.kernel.org/stable/c/eae2f14ab2efccdb7480fae7d42c4b0116ef8805

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-03-18T10:05:09.353Z

Updated: 2026-04-13T06:03:04.908Z

Reserved: 2026-01-13T15:37:45.989Z

Link: CVE-2026-23247

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-03-18T11:16:16.723

Modified: 2026-03-18T14:52:44.227

Link: CVE-2026-23247

Redhat

Severity : Low

Publid Date: 2026-03-18T00:00:00Z

Links: CVE-2026-23247 - Bugzilla

OpenCVE Enrichment

Updated: 2026-03-26T12:21:07Z

Weaknesses

No weakness.

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object