Description
In the Linux kernel, the following vulnerability has been resolved:

rxrpc: Fix the ACK parser to extract the SACK table for parsing

Fix modification of the received skbuff in rxrpc_input_soft_acks() and a
potential incorrect access of the buffer in a fragmented UDP packet (the
packet would probably have to be deliberately pre-generated as fragmented)
when AF_RXRPC tries to extract the contents of the SACK table by copying
out the contents of the SACK table into a buffer before attempting to parse

AF_RXRPC assumes that it can just call skb_condense() and then validly
access the SACK table from skb->data and that it will be a flat buffer -
but skb_condense() can silently fail to do anything under some
circumstances.

Note that whilst rxrpc_input_soft_acks() should be able to parse extended
ACKs, the rest of AF_RXRPC doesn't currently support that.

Further, there's then no need to call skb_condense() in rxrpc_input_ack(),
so don't.
Published: 2026-06-25
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel’s AF_RXRPC subsystem contains an out‑of‑bounds read bug caused by its ACK parsing logic. The flaw permits the kernel to read beyond the end of a UDP packet when the parser expects a contiguous buffer and access the selective ACK table after calling skb_condense(). This memory error (CWE‑125) can trigger a kernel crash or reboot, compromising system availability, but it does not provide code execution or privilege escalation.

Affected Systems

All Linux kernel releases that have not incorporated the patch commit that fixes the ACK parser (cve‑committed via 224298450be5c04d2a6ea1c2a94669d7) are affected. This includes every distribution’s kernel where AF_RXRPC is enabled and reachable, i.e., all systems running the Linux kernel prior to the fix. The vulnerability is tied to the AF_RXRPC network interface and therefore affects any host that exposes this interface to untrusted networks.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical severity, while the EPSS score of <1% shows a low likelihood of exploitation in the wild. It is not listed in CISA’s KEV catalog, suggesting no publicly documented exploits. Based on the description, it is inferred that the attack vector is network‑based; an adversary would need to craft fragmented UDP packets and deliver them to a system’s AF_RXRPC endpoint. Successfully triggering the bug can bring the host down, so the risk is significant for exposed systems, yet current evidence points to a lack of active exploit use.

Generated by OpenCVE AI on June 28, 2026 at 13:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel update that includes the rxrpc ACK parser fix (commit 224298450be5c04d2a6ea1c2a94669d7).
  • If the system cannot be updated immediately, disable the AF_RXRPC protocol stack or remove the module from the running kernel to eliminate the vulnerable code path.
  • As a last resort, block or filter UDP traffic to the ports used by AF_RXRPC so that no externally crafted packets can reach the vulnerable interface.

Generated by OpenCVE AI on June 28, 2026 at 13:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6381-1 linux security update
History

Sat, 04 Jul 2026 12:15:00 +0000


Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Fri, 26 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Fri, 26 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Thu, 25 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix the ACK parser to extract the SACK table for parsing Fix modification of the received skbuff in rxrpc_input_soft_acks() and a potential incorrect access of the buffer in a fragmented UDP packet (the packet would probably have to be deliberately pre-generated as fragmented) when AF_RXRPC tries to extract the contents of the SACK table by copying out the contents of the SACK table into a buffer before attempting to parse AF_RXRPC assumes that it can just call skb_condense() and then validly access the SACK table from skb->data and that it will be a flat buffer - but skb_condense() can silently fail to do anything under some circumstances. Note that whilst rxrpc_input_soft_acks() should be able to parse extended ACKs, the rest of AF_RXRPC doesn't currently support that. Further, there's then no need to call skb_condense() in rxrpc_input_ack(), so don't.
Title rxrpc: Fix the ACK parser to extract the SACK table for parsing
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-07-04T11:50:54.212Z

Reserved: 2026-06-09T07:44:35.388Z

Link: CVE-2026-53151

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53151 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T13:45:06Z

Weaknesses