Description
In the Linux kernel, the following vulnerability has been resolved:

net: Drop the lock in skb_may_tx_timestamp()

skb_may_tx_timestamp() may acquire sock::sk_callback_lock. The lock must
not be taken in IRQ context, only softirq is okay. A few drivers receive
the timestamp via a dedicated interrupt and complete the TX timestamp
from that handler. This will lead to a deadlock if the lock is already
write-locked on the same CPU.

Taking the lock can be avoided. The socket (pointed by the skb) will
remain valid until the skb is released. The ->sk_socket and ->file
member will be set to NULL once the user closes the socket which may
happen before the timestamp arrives.
If we happen to observe the pointer while the socket is closing but
before the pointer is set to NULL then we may use it because both
pointer (and the file's cred member) are RCU freed.

Drop the lock. Use READ_ONCE() to obtain the individual pointer. Add a
matching WRITE_ONCE() where the pointer are cleared.
Published: 2026-05-06
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A recent flaw in the Linux kernel causes a deadlock when the function skb_may_tx_timestamp() acquires the sock::sk_callback_lock while operating in interrupt context. Because this lock should only be taken in softirq or main context, the kernel may block when it is already write‑locked on the same CPU, leading to a halt in socket activity. The weakness corresponds to CWE‑665, Improper Lock Handling and is mitigated by dropping the lock and accessing the socket pointer safely with READ_ONCE()/WRITE_ONCE().

Affected Systems

The vulnerability applies to any Linux kernel that implements skb_may_tx_timestamp() and uses drivers that obtain timestamps via dedicated interrupts. No specific kernel version is listed, so all current kernels enabling transmit timestamping features may be affected.

Risk and Exploitability

The EPSS score is not available and the CVE is not yet listed in the CISA KEV catalog, indicating no known active exploits. An attacker who can open sockets that request transmit timestamps or otherwise trigger the timestamp handler might induce a deadlock, causing a local denial‑of‑service. The likely attack vector is a local user or privileged process interacting with network sockets, as the exploit requires engaging the kernel’s transmit timestamping path.

Generated by OpenCVE AI on May 6, 2026 at 16:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Linux kernel release that incorporates the patch dropping the lock in skb_may_tx_timestamp()
  • If an upgrade is not immediately possible, disable or remove network drivers that obtain timestamps via dedicated interrupts
  • Verify that the kernel configuration does not enable timestamping options or modules such as CONFIG_NET_SCH_TSFIX when not needed

Generated by OpenCVE AI on May 6, 2026 at 16:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-665

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: Drop the lock in skb_may_tx_timestamp() skb_may_tx_timestamp() may acquire sock::sk_callback_lock. The lock must not be taken in IRQ context, only softirq is okay. A few drivers receive the timestamp via a dedicated interrupt and complete the TX timestamp from that handler. This will lead to a deadlock if the lock is already write-locked on the same CPU. Taking the lock can be avoided. The socket (pointed by the skb) will remain valid until the skb is released. The ->sk_socket and ->file member will be set to NULL once the user closes the socket which may happen before the timestamp arrives. If we happen to observe the pointer while the socket is closing but before the pointer is set to NULL then we may use it because both pointer (and the file's cred member) are RCU freed. Drop the lock. Use READ_ONCE() to obtain the individual pointer. Add a matching WRITE_ONCE() where the pointer are cleared.
Title net: Drop the lock in skb_may_tx_timestamp()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-06T11:28:18.277Z

Reserved: 2026-05-01T14:12:55.993Z

Link: CVE-2026-43216

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-06T12:16:41.190

Modified: 2026-05-06T13:07:51.607

Link: CVE-2026-43216

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T17:30:07Z

Weaknesses