{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23302", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.993Z", "datePublished": "2026-03-25T10:26:57.470Z", "dateUpdated": "2026-03-25T10:26:57.470Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:26:57.470Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: annotate data-races around sk->sk_{data_ready,write_space}\n\nskmsg (and probably other layers) are changing these pointers\nwhile other cpus might read them concurrently.\n\nAdd corresponding READ_ONCE()/WRITE_ONCE() annotations\nfor UDP, TCP and AF_UNIX."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/core/skmsg.c", "net/ipv4/tcp.c", "net/ipv4/tcp_bpf.c", "net/ipv4/tcp_input.c", "net/ipv4/tcp_minisocks.c", "net/ipv4/udp.c", "net/ipv4/udp_bpf.c", "net/unix/af_unix.c"], "versions": [{"version": "604326b41a6fb9b4a78b6179335decee0365cd8c", "lessThan": "f17c1c4acbe2bd702abce73a847a04a196fab2c5", "status": "affected", "versionType": "git"}, {"version": "604326b41a6fb9b4a78b6179335decee0365cd8c", "lessThan": "27fccdbcbbfc4651b6f66756e6fa3f52e051ec23", "status": "affected", "versionType": "git"}, {"version": "604326b41a6fb9b4a78b6179335decee0365cd8c", "lessThan": "2ef2b20cf4e04ac8a6ba68493f8780776ff84300", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/core/skmsg.c", "net/ipv4/tcp.c", "net/ipv4/tcp_bpf.c", "net/ipv4/tcp_input.c", "net/ipv4/tcp_minisocks.c", "net/ipv4/udp.c", "net/ipv4/udp_bpf.c", "net/unix/af_unix.c"], "versions": [{"version": "4.20", "status": "affected"}, {"version": "0", "lessThan": "4.20", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "7.0-rc3"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/f17c1c4acbe2bd702abce73a847a04a196fab2c5"}, {"url": "https://git.kernel.org/stable/c/27fccdbcbbfc4651b6f66756e6fa3f52e051ec23"}, {"url": "https://git.kernel.org/stable/c/2ef2b20cf4e04ac8a6ba68493f8780776ff84300"}], "title": "net: annotate data-races around sk->sk_{data_ready,write_space}", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: annotate data-races around sk->sk_{data_ready,write_space}\n\nskmsg (and probably other layers) are changing these pointers\nwhile other cpus might read them concurrently.\n\nAdd corresponding READ_ONCE()/WRITE_ONCE() annotations\nfor UDP, TCP and AF_UNIX."}], "id": "CVE-2026-23302", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:25.923", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/27fccdbcbbfc4651b6f66756e6fa3f52e051ec23"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2ef2b20cf4e04ac8a6ba68493f8780776ff84300"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f17c1c4acbe2bd702abce73a847a04a196fab2c5"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: net: annotate data-races around sk->sk_{data_ready,write_space}", "id": "2451200", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451200"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.3", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-366", "details": ["A flaw was found in the Linux kernel. This vulnerability involves data races within the networking subsystem, specifically related to how network socket pointers are handled concurrently by multiple central processing units (CPUs). Without proper synchronization, this concurrent access can lead to unpredictable system behavior."], "name": "CVE-2026-23302", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23302\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23302\nhttps://lore.kernel.org/linux-cve-announce/2026032527-CVE-2026-23302-e03d@gregkh/T"], "statement": "This is a theoretical data race in socket callback pointer handling (sk_data_ready, sk_write_space) for UDP, TCP, and AF_UNIX sockets. The fix adds READ_ONCE()/WRITE_ONCE() annotations to ensure proper memory ordering. While technically a data race, no practical security impact or crash has been demonstrated; this is primarily a correctness fix for concurrent access patterns.", "threat_severity": "Low"}

{"analysis": {"en": {"generated_at": "2026-03-25T13:50:45.099001+00:00", "value": {"mitigation_remediation": ["Verify that the running kernel implements the READ_ONCE() and WRITE_ONCE() annotations for sk->sk_data_ready and sk->sk_write_space; the change is present in upstream releases after the commits linked in the references.", "If the current kernel lacks the patch, upgrade to a kernel version that includes the fixes (typically kernel releases after the commit dates).", "Reboot the system so that the updated kernel takes effect.", "Monitor kernel logs (e.g., dmesg, /var/log/kern.log) for any anomalous network activity or crashes that might indicate the race condition is being triggered.", "If an immediate kernel upgrade is not feasible, isolate affected network services or temporarily block external UDP/TCP traffic to mitigate exposure while awaiting the patch."], "summary": {"action": "Apply patch", "impact": "Data race in kernel networking stack"}, "threat_synthesis": {"affected_systems": "All Linux systems whose kernel includes the network stack code for UDP, TCP, or AF_UNIX and that have not yet integrated the READ_ONCE() and WRITE_ONCE() annotations for the affected socket pointers are affected. As the CVE does not specify a version range, any kernel version prior to the upstream fix should be considered vulnerable. The problem originates in the socket handling layers across standard networking protocols.", "description_and_impact": "The vulnerability describes a data race in the Linux kernel\u2019s network stack where concurrent writes to and reads from the sk->sk_data_ready and sk->sk_write_space pointers occur without proper synchronization. This unsynchronized access can produce inconsistent kernel state, potentially leading to undefined behavior, service instability, or a kernel crash. The weakness falls under unchecked concurrent memory accesses, making the kernel susceptible to race conditions.", "risk_and_exploitability": "Neither a CVSS nor an EPSS score is available, and the vulnerability is not catalogued by CISA as a known exploitable vulnerability. The likely attack vector is network\u2011based: an attacker could send specially crafted packets to UDP, TCP, or AF_UNIX endpoints to provoke the race condition. The severity is uncertain, but exploiting the race might destabilise the kernel or allow privilege escalation if the kernel crashes or behaves unpredictably. No public exploitation evidence is reported, so the risk remains theoretical."}}}}, "created": "2026-03-25T21:15:28.426438+00:00", "updated": "2026-03-25T21:15:28.426578+00:00", "vendors": [], "weaknesses": ["CWE-362"]}