CVE-2026-52935 - Vulnerability Details

- xfrm: espintcp: do not reuse an in-progress partial send

Description

In the Linux kernel, the following vulnerability has been resolved:

xfrm: espintcp: do not reuse an in-progress partial send

espintcp keeps a single in-flight transmit in ctx->partial.
Before building a new sk_msg, espintcp_sendmsg() first tries to flush
that state through espintcp_push_msgs().

For blocking callers, espintcp_push_msgs() may return success even when
the previous partial send is still pending. espintcp_sendmsg() would
then reinitialize emsg->skmsg and reuse ctx->partial while the old
transfer still owns that state.

Do not rebuild the send message when ctx->partial is still in progress.
If espintcp_push_msgs() returns with emsg->len still set, fail the new
send instead of overwriting the live partial state.

This is a memory-safety fix: reusing the live partial-send state can
leave a stale offset attached to a new sk_msg and lead to an out-of-
bounds read in the send path.

tcp_sendmsg_locked() already handles waiting for send buffer memory, so
the fix here is just to preserve espintcp's one-message-at-a-time
transmit state.

Published: 2026-06-24

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`e27cca96cd68fa2c6814c90f9a1cfd36bb68c593`	affected	< 6564e9c7af7e1dc7bfe7f3093b728abe484d7630
`e27cca96cd68fa2c6814c90f9a1cfd36bb68c593`	affected	< 1777ceac4bea5e568a5ad44b7f9bb219c1db21b6
`e27cca96cd68fa2c6814c90f9a1cfd36bb68c593`	affected	< 8c6c691bf062dc0753a139a4ab8cb92a70fcf8f3
`e27cca96cd68fa2c6814c90f9a1cfd36bb68c593`	affected	< aa82a078f70f7ff88ba7d1017134e79d1ac140f2
`e27cca96cd68fa2c6814c90f9a1cfd36bb68c593`	affected	< ba21439302db9a82fe4edbed1e38a97271529421
`e27cca96cd68fa2c6814c90f9a1cfd36bb68c593`	affected	< f9b38a8fbfa07f1deaf7ee1eb38fa8b21ea13990
`e27cca96cd68fa2c6814c90f9a1cfd36bb68c593`	affected	< 37487d55bf3300e3d2c1368da5c2bd3e3834ea4f
`e27cca96cd68fa2c6814c90f9a1cfd36bb68c593`	affected	< c381039ade2e161ab08c0eda73c4f8b9a7115928

Linux

affected

Version	Status	Constraints
`5.6`	affected	—
`0`	unaffected	< 5.6
`5.10.259`	unaffected	≤ 5.10.*
`5.15.210`	unaffected	≤ 5.15.*
`6.1.176`	unaffected	≤ 6.1.*
`6.6.143`	unaffected	≤ 6.6.*
`6.12.94`	unaffected	≤ 6.12.*
`6.18.36`	unaffected	≤ 6.18.*
`7.0.13`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/1777ceac4bea5e568a5ad44b7f9bb219c1db21b6
https://git.kernel.org/stable/c/37487d55bf3300e3d2c1368da5c2bd3e3834ea4f
https://git.kernel.org/stable/c/6564e9c7af7e1dc7bfe7f3093b728abe484d7630
https://git.kernel.org/stable/c/8c6c691bf062dc0753a139a4ab8cb92a70fcf8f3
https://git.kernel.org/stable/c/aa82a078f70f7ff88ba7d1017134e79d1ac140f2
https://git.kernel.org/stable/c/ba21439302db9a82fe4edbed1e38a97271529421
https://git.kernel.org/stable/c/c381039ade2e161ab08c0eda73c4f8b9a7115928
https://git.kernel.org/stable/c/f9b38a8fbfa07f1deaf7ee1eb38fa8b21ea13990

History

Wed, 24 Jun 2026 07:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: xfrm: espintcp: do not reuse an in-progress partial send espintcp keeps a single in-flight transmit in ctx->partial. Before building a new sk_msg, espintcp_sendmsg() first tries to flush that state through espintcp_push_msgs(). For blocking callers, espintcp_push_msgs() may return success even when the previous partial send is still pending. espintcp_sendmsg() would then reinitialize emsg->skmsg and reuse ctx->partial while the old transfer still owns that state. Do not rebuild the send message when ctx->partial is still in progress. If espintcp_push_msgs() returns with emsg->len still set, fail the new send instead of overwriting the live partial state. This is a memory-safety fix: reusing the live partial-send state can leave a stale offset attached to a new sk_msg and lead to an out-of- bounds read in the send path. tcp_sendmsg_locked() already handles waiting for send buffer memory, so the fix here is just to preserve espintcp's one-message-at-a-time transmit state.
Title		xfrm: espintcp: do not reuse an in-progress partial send
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/1777ceac4bea5e568a5ad44b7f9bb219c1db21b6 https://git.kernel.org/stable/c/37487d55bf3300e3d2c1368da5c2bd3e3834ea4f https://git.kernel.org/stable/c/6564e9c7af7e1dc7bfe7f3093b728abe484d7630 https://git.kernel.org/stable/c/8c6c691bf062dc0753a139a4ab8cb92a70fcf8f3 https://git.kernel.org/stable/c/aa82a078f70f7ff88ba7d1017134e79d1ac140f2 https://git.kernel.org/stable/c/ba21439302db9a82fe4edbed1e38a97271529421 https://git.kernel.org/stable/c/c381039ade2e161ab08c0eda73c4f8b9a7115928 https://git.kernel.org/stable/c/f9b38a8fbfa07f1deaf7ee1eb38fa8b21ea13990

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T07:14:25.988Z

Updated: 2026-06-24T07:14:25.988Z

Reserved: 2026-06-09T07:44:35.369Z

Link: CVE-2026-52935

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

No weakness.

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object