Impact
In the Linux kernel, the XDP socket metadata area used in the transmit path is memory‑mapped and user‑writable. The routine xsk_s check on the fields csum_start and csum_offset, then rereads them for skb assignment. This race permits a malicious userspace program to overwrite the values between the two reads, bypassing the bounds check and causing the kernel to compute a checksum against an address beyond the buffer's limits. The result is an out‑of‑bounds memory access that can corrupt kernel memory or crash the system. The flaw is a classic race condition (C also introduces an out‑of‑bounds read (CWE‑125)).
Affected Systems
All installations of the Linux kernel that expose the af_xdp XDP socket interface to userspace are affected, provided the code has not been patched by the fix that caches xsk_skb_metadata()’s values locally. This includes any kernel version built from the official Linux source tree prior to the commit that introduced the isolation of csum_start and csum_offset, regardless of vendor distribution. The vulnerability is present in the default configuration of the kernel; no sub‑product designation is required, so system administrators should check whether their kernel has been updated beyond the release that includes the patch.
Risk and Exploitability
The vulnerability is a classic race condition, and the likely attack vector involves a local userspace process that can create an AF_XDP socket and map the UMEM buffer. Because the UMEM buffer is writable by that process, it can race to modify csum_start and csum_offset before the kernel performs its bounds check. The EPSS score of less than 1% indicates a very low, but non‑zero, likelihood of exploitation in the wild, and the CVSS score of 7.8 indicates a high‑severity flaw that can compromise system confidentiality, integrity, and availability. The flaw is not listed in CISA’s KEV catalog. The kernel‑level nature of the flaw means a successful exploit can lead to kernel memory corruption or a denial of service, which is a high‑risk event for unpatched systems.
OpenCVE Enrichment