Impact
The Linux kernel espintcp subsystem incorrectly reuses a partially sent packet when a new send request is issued while a previous transmission is still in flight. This reuse overwrites the partial buffer with stale state, causing the kernel to perform an out‑of‑bounds read during the send path. As a result, an attacker could trigger a memory read that leaks kernel data to a sending process, potentially exposing sensitive information.
Affected Systems
All Linux kernel implementations are affected, regardless of distribution. The vulnerability is present in any kernel version prior to the commit that implements the protective change described in the advisory. The CPE string identifies the Linux kernel as the scope of the issue.
Risk and Exploitability
The CVSS score of 7.8 indicates a high severity, and the EPSS score of < 1% signals a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Successful exploitation requires a scenario where espintcp traffic is actively transmitting and a new send request occurs before the previous send completes, a state that is not trivially reachable from a normal user process. The likelihood of exploitation appears low, but the impact of a successful out‑of‑bounds read is a loss of confidentiality for kernel memory.
OpenCVE Enrichment
Debian DLA