A Linux kernel change that reinstated TCP ports in the secure‑sequence calculation accidentally exposes the client’s source port to an off‑path observer. The commit revives state that was previously removed, and this reintroduction allows an attacker to perform a timing side‑channel on the SYN‑cookie response to deduce the original source port. The vulnerability does not lead to code execution or memory corruption; it simply leaks data. Based on the description, the likely attack vector involves an off‑path entity capable of measuring minute timing differences in SYN‑cookie responses. By comparing the response times of SYN packets with different source ports, the observer can infer the port values that were embedded in the timestamp offset. The impact of the disclosed source port is purely informational. Knowing the source port can aid in targeted network scans, bypass firewall rules that are port‑based, or facilitate further covert reconnaissance.

The affected builds are Linux kernels that contain the commit which removed per‑host port data from secure‑sequence randomization and have not yet applied the revert that restores this data. In practice this includes kernel releases preceding the revert commit. The CPE list shows kernels ranging from 4.10.14 up to 7.0 rc2. Exact vulnerable versions cannot be listed precisely from the provided data, but the vulnerability is present in any kernel that lacks the revert.

The CVSS base score of 5.5 denotes a moderate severity, and the EPSS score of less than 1 % indicates a low overall probability of exploitation in the wild. The side‑channel requires an off‑path observer with precise timing capability, which limits the attack surface. The vulnerability is not listed in the CISA KEV catalog. Administrators should treat it as a moderate‑priority issue: update the kernel if possible, or otherwise employ the workaround to prevent the information leakage.