CVE-2026-52993 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

tipc: fix double-free in tipc_buf_append()

tipc_msg_validate() can potentially reallocate the skb it is validating,
freeing the old one. In tipc_buf_append(), it was being called with a
pointer to a local variable which was a copy of the caller's skb
pointer.

If the skb was reallocated and validation subsequently failed, the error
handling path would free the original skb pointer, which had already
been freed, leading to double-free.

Fix this by checking if head now points to a newly allocated reassembled
skb. If it does, reassign *headbuf for later freeing operations.

Published: 2026-06-24

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability involves a double‑free in the TIPC kernel module, where the tipc_msg_validate function can reallocate the socket buffer being validated and subsequently free the old one again during error handling. If validation fails after the reallocation, the original buffer is freed twice, corrupting kernel memory and potentially enabling an attacker to execute arbitrary code in kernel mode.

Affected Systems

The flaw affects all Linux kernel builds that contain the unpatched TIPC code, including every distribution that uses a kernel version prior to the commit that resolves the double‑free. Exact affected kernel releases are not listed, but any system that has not applied the kernel patch in the provided commit references is vulnerable.

Risk and Exploitability

There is no CVSS score or EPSS data available, and the vulnerability is not in the CISA KEV catalog. Nevertheless, a double‑free in kernel space is a high‑severity issue that can lead to privilege escalation or remote code execution. The likely attack vector is via a crafted TIPC packet sent to a system that actively uses the TIPC protocol; therefore, remote exploitation is considered feasible if the attacker can reach the vulnerable interface.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`d618d09a68e4eed7a435beb2e355250f6f40664a`	affected	< a438975a6dcdbd70865978c021650d1485586f0b
`d618d09a68e4eed7a435beb2e355250f6f40664a`	affected	< 4ee4deadaae7cb2e3d53af0fc889cf92a73413c0
`d618d09a68e4eed7a435beb2e355250f6f40664a`	affected	< d3556656c6daebf8def751c7e71d11dd0a180d24
`d618d09a68e4eed7a435beb2e355250f6f40664a`	affected	< 0274f24485fc38032d4093e463dc3ff5c7a667c9
`d618d09a68e4eed7a435beb2e355250f6f40664a`	affected	< 4d104882bc815d4ec666ace9155f5f52715879a6
`d618d09a68e4eed7a435beb2e355250f6f40664a`	affected	< 1d5e589055880fae229e229e1929e087dbe08cf3
`d618d09a68e4eed7a435beb2e355250f6f40664a`	affected	< 29940fff14110ca48c5ccc168d121665b51bb778
`d618d09a68e4eed7a435beb2e355250f6f40664a`	affected	< d293ca716e7d5dffdaecaf6b9b2f857a33dc3d3a

Linux

affected

Version	Status	Constraints
`4.15`	affected	—
`0`	unaffected	< 4.15
`5.10.258`	unaffected	≤ 5.10.*
`5.15.209`	unaffected	≤ 5.15.*
`6.1.175`	unaffected	≤ 6.1.*
`6.6.141`	unaffected	≤ 6.6.*
`6.12.91`	unaffected	≤ 6.12.*
`6.18.33`	unaffected	≤ 6.18.*
`7.0.10`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update to a Linux kernel version that incorporates the patch shown in the commit references; vendor packages that include the fix should be applied as part of a standard security update.
If an immediate kernel upgrade is not possible, backport or manually apply the patch from the provided commits to the local kernel source, then rebuild and install the updated kernel.
Verify that no error logs indicating kernel oopses or double‑free crashes appear; if anomalies are observed, investigate potential exploitation attempts and reconsider updating sooner.

Generated by OpenCVE AI on June 24, 2026 at 18:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0274f24485fc38032d4093e463dc3ff5c7a667c9
https://git.kernel.org/stable/c/1d5e589055880fae229e229e1929e087dbe08cf3
https://git.kernel.org/stable/c/29940fff14110ca48c5ccc168d121665b51bb778
https://git.kernel.org/stable/c/4d104882bc815d4ec666ace9155f5f52715879a6
https://git.kernel.org/stable/c/4ee4deadaae7cb2e3d53af0fc889cf92a73413c0
https://git.kernel.org/stable/c/a438975a6dcdbd70865978c021650d1485586f0b
https://git.kernel.org/stable/c/d293ca716e7d5dffdaecaf6b9b2f857a33dc3d3a
https://git.kernel.org/stable/c/d3556656c6daebf8def751c7e71d11dd0a180d24

History

Wed, 24 Jun 2026 19:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-415

Wed, 24 Jun 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: tipc: fix double-free in tipc_buf_append() tipc_msg_validate() can potentially reallocate the skb it is validating, freeing the old one. In tipc_buf_append(), it was being called with a pointer to a local variable which was a copy of the caller's skb pointer. If the skb was reallocated and validation subsequently failed, the error handling path would free the original skb pointer, which had already been freed, leading to double-free. Fix this by checking if head now points to a newly allocated reassembled skb. If it does, reassign *headbuf for later freeing operations.
Title		tipc: fix double-free in tipc_buf_append()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0274f24485fc38032d4093e463dc3ff5c7a667c9 https://git.kernel.org/stable/c/1d5e589055880fae229e229e1929e087dbe08cf3 https://git.kernel.org/stable/c/29940fff14110ca48c5ccc168d121665b51bb778 https://git.kernel.org/stable/c/4d104882bc815d4ec666ace9155f5f52715879a6 https://git.kernel.org/stable/c/4ee4deadaae7cb2e3d53af0fc889cf92a73413c0 https://git.kernel.org/stable/c/a438975a6dcdbd70865978c021650d1485586f0b https://git.kernel.org/stable/c/d293ca716e7d5dffdaecaf6b9b2f857a33dc3d3a https://git.kernel.org/stable/c/d3556656c6daebf8def751c7e71d11dd0a180d24

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T16:29:06.475Z

Updated: 2026-06-24T16:29:06.475Z

Reserved: 2026-06-09T07:44:35.377Z

Link: CVE-2026-52993

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T18:45:05Z

Weaknesses

CWE-415
Double Free

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object