Description
In the Linux kernel, the following vulnerability has been resolved:

tipc: fix double-free in tipc_buf_append()

tipc_msg_validate() can potentially reallocate the skb it is validating,
freeing the old one. In tipc_buf_append(), it was being called with a
pointer to a local variable which was a copy of the caller's skb
pointer.

If the skb was reallocated and validation subsequently failed, the error
handling path would free the original skb pointer, which had already
been freed, leading to double-free.

Fix this by checking if head now points to a newly allocated reassembled
skb. If it does, reassign *headbuf for later freeing operations.
Published: 2026-06-24
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a double-free in the Linux kernel’s TIPC module, specifically in tipc_buf_append(). During validation, tipc_msg_validate may reallocate a socket buffer; if the allocation fails, the error path frees the original buffer again, corrupting kernel memory and potentially causing a crash.

Affected Systems

It affects all Linux kernel builds lacking the commit that introduced the fix. All distributions that ship an unpatched kernel containing the vulnerable TIPC code are impacted, regardless of specific kernel version.

Risk and Exploitability

With a CVSS score of 9.8, the flaw is considered critical; however, the EPSS score of less than 1% indicates a very low current exploitation probability. The vulnerability is not present in the CISA KEV catalog. The likely attack vector involves sending a crafted TIPC packet that triggers tipc_msg_validate, leading to a double-free and kernel crash, although the precise exploitation conditions are inferred from the description.

Generated by OpenCVE AI on June 28, 2026 at 13:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Linux kernel version that includes the commit fixing the double-free, as documented in the official advisory references.
  • If the vendor does not provide an immediate patch, apply the patch from the referenced commits to the local kernel source, rebuild, and install the updated kernel image.
  • Where updating is infeasible, restrict or disable TIPC network services to reduce exposure, and monitor system logs for kernel Oops or crash events that may indicate unresolved issues.

Generated by OpenCVE AI on June 28, 2026 at 13:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Fri, 26 Jun 2026 02:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-415

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-763
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important


Wed, 24 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-415

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: tipc: fix double-free in tipc_buf_append() tipc_msg_validate() can potentially reallocate the skb it is validating, freeing the old one. In tipc_buf_append(), it was being called with a pointer to a local variable which was a copy of the caller's skb pointer. If the skb was reallocated and validation subsequently failed, the error handling path would free the original skb pointer, which had already been freed, leading to double-free. Fix this by checking if head now points to a newly allocated reassembled skb. If it does, reassign *headbuf for later freeing operations.
Title tipc: fix double-free in tipc_buf_append()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-30T12:09:39.515Z

Reserved: 2026-06-09T07:44:35.377Z

Link: CVE-2026-52993

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-52993 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T13:15:16Z

Weaknesses
  • CWE-763

    Release of Invalid Pointer or Reference