Description
In the Linux kernel, the following vulnerability has been resolved:

net: guard timestamp cmsgs to real error queue skbs

skb_is_err_queue() treats PACKET_OUTGOING as the sole marker for an skb
from sk_error_queue. That assumption is not true for AF_PACKET sockets:
outgoing packet taps are also delivered to packet sockets with
skb->pkt_type == PACKET_OUTGOING, but their skb->cb is owned by AF_PACKET
instead of struct sock_exterr_skb.

If such an skb is received with timestamping enabled, the generic
timestamp cmsg path can read AF_PACKET control-buffer state as
sock_exterr_skb::opt_stats. With SO_RXQ_OVFL enabled, the packet drop
counter overlaps opt_stats. An odd drop count makes the path emit
SCM_TIMESTAMPING_OPT_STATS with skb->len and skb->data. For non-linear
skbs this copies past the linear head and can trigger hardened usercopy or
disclose adjacent heap contents.

Keep skb_is_err_queue() local to net/socket.c, but make it verify that
the PACKET_OUTGOING marker is paired with the sock_rmem_free destructor
installed by sock_queue_err_skb(). AF_PACKET receive skbs use normal
receive ownership and no longer pass as error-queue skbs, while legitimate
sk_error_queue entries keep the PACKET_OUTGOING marker and sock_rmem_free
ownership.
Published: 2026-06-25
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel misclassifies packets that carry the PACKET_OUTGOING flag, treating them as members of the error queue even when they originate from AF_PACKET sockets. When timestamping is enabled, the timestamp control‑message path reads state from AF_PACKET’s control buffer, leading to a buffer under‑read (CWE‑125). If the packet is non‑linear, this read extends past the linear head and can trigger a hardened usercopy failure, which may result in a kernel crash, or expose adjacent heap contents, which could leak sensitive information.

Affected Systems

All releases of the Linux kernel older than the commit that introduced this logic fix (identified by the hash 1ee90b77b727df903033db873c75caac5c27ec98).

Risk and Exploitability

The CVSS score of 7.1 and an EPSS score of less than 1% indicate a moderate severity and low likelihood of widespread exploitation. The likely attack vector is via raw packet sockets with timestamping enabled; an attacker needs to be able to craft and send packets that trigger the timestamp path. Because the vulnerability does not provide remote code execution, its impact is limited to kernel crashes or information disclosure, and it remains confined to the local host. The vulnerability is not listed in the CISA KEV catalog, further supporting a moderate risk posture.

Generated by OpenCVE AI on June 28, 2026 at 14:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the commit 1ee90b77b727df903033db873c75caac5c27ec98 or later
  • If an upgrade is delayed, disable SO_RXQ_OVFL or timestamping on AF_PACKET sockets to prevent the vulnerable code path from executing
  • Avoid using raw packet sockets or privileged packet‑tapping utilities that enable timestamping until a patched kernel is deployed

Generated by OpenCVE AI on June 28, 2026 at 14:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H'}


Fri, 26 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate


Thu, 25 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: guard timestamp cmsgs to real error queue skbs skb_is_err_queue() treats PACKET_OUTGOING as the sole marker for an skb from sk_error_queue. That assumption is not true for AF_PACKET sockets: outgoing packet taps are also delivered to packet sockets with skb->pkt_type == PACKET_OUTGOING, but their skb->cb is owned by AF_PACKET instead of struct sock_exterr_skb. If such an skb is received with timestamping enabled, the generic timestamp cmsg path can read AF_PACKET control-buffer state as sock_exterr_skb::opt_stats. With SO_RXQ_OVFL enabled, the packet drop counter overlaps opt_stats. An odd drop count makes the path emit SCM_TIMESTAMPING_OPT_STATS with skb->len and skb->data. For non-linear skbs this copies past the linear head and can trigger hardened usercopy or disclose adjacent heap contents. Keep skb_is_err_queue() local to net/socket.c, but make it verify that the PACKET_OUTGOING marker is paired with the sock_rmem_free destructor installed by sock_queue_err_skb(). AF_PACKET receive skbs use normal receive ownership and no longer pass as error-queue skbs, while legitimate sk_error_queue entries keep the PACKET_OUTGOING marker and sock_rmem_free ownership.
Title net: guard timestamp cmsgs to real error queue skbs
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:40:34.222Z

Reserved: 2026-06-09T07:44:35.392Z

Link: CVE-2026-53223

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53223 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T14:15:08Z

Weaknesses