Description
In the Linux kernel, the following vulnerability has been resolved:

net: guard timestamp cmsgs to real error queue skbs

skb_is_err_queue() treats PACKET_OUTGOING as the sole marker for an skb
from sk_error_queue. That assumption is not true for AF_PACKET sockets:
outgoing packet taps are also delivered to packet sockets with
skb->pkt_type == PACKET_OUTGOING, but their skb->cb is owned by AF_PACKET
instead of struct sock_exterr_skb.

If such an skb is received with timestamping enabled, the generic
timestamp cmsg path can read AF_PACKET control-buffer state as
sock_exterr_skb::opt_stats. With SO_RXQ_OVFL enabled, the packet drop
counter overlaps opt_stats. An odd drop count makes the path emit
SCM_TIMESTAMPING_OPT_STATS with skb->len and skb->data. For non-linear
skbs this copies past the linear head and can trigger hardened usercopy or
disclose adjacent heap contents.

Keep skb_is_err_queue() local to net/socket.c, but make it verify that
the PACKET_OUTGOING marker is paired with the sock_rmem_free destructor
installed by sock_queue_err_skb(). AF_PACKET receive skbs use normal
receive ownership and no longer pass as error-queue skbs, while legitimate
sk_error_queue entries keep the PACKET_OUTGOING marker and sock_rmem_free
ownership.
Published: 2026-06-25
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel incorrectly assumes that skb packets marked as PACKET_OUTGOING are only used for error queues. When this assumption is violated, packets from AF_PACKET sockets can cause the timestamp control‑message path to read control‑buffer data that belongs to error packets. The misinterpretation may cause the kernel to emit timestamping statistics that copy beyond the linear head of the skb, triggering a hardened usercopy failure or exposing adjacent heap memory. The result can be a kernel crash or the disclosure of sensitive data.

Affected Systems

All versions of the Linux kernel that were affected before the commit that fixed this logic flaw. The issue is present in any kernel build that predates the patch located at commit 1ee90b77b727df903033db873c7527ec98 and subsequent fixes.

Risk and Exploitability

The CVSS score is not provided, and the EPSS score is unavailable, so precise risk quantification is not possible. However, exploitation requires timestamping to be enabled on AF_PACKET sockets and that the attacker can craft packets that trigger the timestamp cmsg path. If triggered, the kernel may perform a hardened usercopy that can lead to a crash, or it may expose adjacent heap contents giving visibility into sensitive data. The vulnerability is local to an attacker who can influence packet sockets, such as a privileged user on the host or a remote attacker with a raw socket interface that can send crafted frames. No evidence suggests attacker could gain arbitrary code execution, but the impact could result in denial‑of‑service or information disclosure.

Generated by OpenCVE AI on June 25, 2026 at 12:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the patch identified by commit 1ee90b77b727df903033db873c75caac5c27ec98 or later.
  • If upgrading is not immediately possible, disable SO_RXQ_OVFL or disable timestamping on AF_PACKET sockets to prevent the timestamp cmsg path from being invoked on those packets.
  • Avoid using raw packet sockets with timestamping in unpatched systems until the kernel update is applied.

Generated by OpenCVE AI on June 25, 2026 at 12:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: guard timestamp cmsgs to real error queue skbs skb_is_err_queue() treats PACKET_OUTGOING as the sole marker for an skb from sk_error_queue. That assumption is not true for AF_PACKET sockets: outgoing packet taps are also delivered to packet sockets with skb->pkt_type == PACKET_OUTGOING, but their skb->cb is owned by AF_PACKET instead of struct sock_exterr_skb. If such an skb is received with timestamping enabled, the generic timestamp cmsg path can read AF_PACKET control-buffer state as sock_exterr_skb::opt_stats. With SO_RXQ_OVFL enabled, the packet drop counter overlaps opt_stats. An odd drop count makes the path emit SCM_TIMESTAMPING_OPT_STATS with skb->len and skb->data. For non-linear skbs this copies past the linear head and can trigger hardened usercopy or disclose adjacent heap contents. Keep skb_is_err_queue() local to net/socket.c, but make it verify that the PACKET_OUTGOING marker is paired with the sock_rmem_free destructor installed by sock_queue_err_skb(). AF_PACKET receive skbs use normal receive ownership and no longer pass as error-queue skbs, while legitimate sk_error_queue entries keep the PACKET_OUTGOING marker and sock_rmem_free ownership.
Title net: guard timestamp cmsgs to real error queue skbs
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:39:24.588Z

Reserved: 2026-06-09T07:44:35.392Z

Link: CVE-2026-53223

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T17:00:11Z

Weaknesses