Impact
The Linux kernel’s AF_RXRPC subsystem contains an out‑of‑bounds read bug caused by its ACK parsing logic. The flaw permits the kernel to read beyond the end of a UDP packet when the parser expects a contiguous buffer and access the selective ACK table after calling skb_condense(). This memory error (CWE‑125) can trigger a kernel crash or reboot, compromising system availability, but it does not provide code execution or privilege escalation.
Affected Systems
All Linux kernel releases that have not incorporated the patch commit that fixes the ACK parser (cve‑committed via 224298450be5c04d2a6ea1c2a94669d7) are affected. This includes every distribution’s kernel where AF_RXRPC is enabled and reachable, i.e., all systems running the Linux kernel prior to the fix. The vulnerability is tied to the AF_RXRPC network interface and therefore affects any host that exposes this interface to untrusted networks.
Risk and Exploitability
The CVSS score of 9.8 indicates a critical severity, while the EPSS score of <1% shows a low likelihood of exploitation in the wild. It is not listed in CISA’s KEV catalog, suggesting no publicly documented exploits. Based on the description, it is inferred that the attack vector is network‑based; an adversary would need to craft fragmented UDP packets and deliver them to a system’s AF_RXRPC endpoint. Successfully triggering the bug can bring the host down, so the risk is significant for exposed systems, yet current evidence points to a lack of active exploit use.
OpenCVE Enrichment
Debian DSA