Description
In the Linux kernel, the following vulnerability has been resolved:

xsk: cache csum_start/csum_offset to fix TOCTOU in xsk_skb_metadata()

The TX metadata area resides in the UMEM buffer which is memory-mapped
and concurrently writable by userspace. In xsk_skb_metadata(),
csum_start and csum_offset are read from shared memory for bounds
validation, then read again for skb assignment. A malicious userspace
application can race to overwrite these values between the two reads,
bypassing the bounds check and causing out-of-bounds memory access
during checksum computation in the transmit path.

Fix this by reading csum_start and csum_offset into local variables
once, then using the local copies for both validation and assignment.

Note that other metadata fields (flags, launch_time) and the cached
csum fields may be mutually inconsistent due to concurrent userspace
writes, but this is benign: the only security-critical invariant is
that each field's validated value is the same one used, which local
caching guarantees.
Published: 2026-06-25
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel, the XDP socket metadata area used in the transmit path is memory‑mapped and user‑writable. The routine xsk_s check on the fields csum_start and csum_offset, then rereads them for skb assignment. This race permits a malicious userspace program to overwrite the values between the two reads, bypassing the bounds check and causing the kernel to compute a checksum against an address beyond the buffer's limits. The result is an out‑of‑bounds memory access that can corrupt kernel memory or crash the system. The flaw is a classic race condition (C also introduces an out‑of‑bounds read (CWE‑125)).

Affected Systems

All installations of the Linux kernel that expose the af_xdp XDP socket interface to userspace are affected, provided the code has not been patched by the fix that caches xsk_skb_metadata()’s values locally. This includes any kernel version built from the official Linux source tree prior to the commit that introduced the isolation of csum_start and csum_offset, regardless of vendor distribution. The vulnerability is present in the default configuration of the kernel; no sub‑product designation is required, so system administrators should check whether their kernel has been updated beyond the release that includes the patch.

Risk and Exploitability

The vulnerability is a classic race condition, and the likely attack vector involves a local userspace process that can create an AF_XDP socket and map the UMEM buffer. Because the UMEM buffer is writable by that process, it can race to modify csum_start and csum_offset before the kernel performs its bounds check. The EPSS score of less than 1% indicates a very low, but non‑zero, likelihood of exploitation in the wild, and the CVSS score of 7.8 indicates a high‑severity flaw that can compromise system confidentiality, integrity, and availability. The flaw is not listed in CISA’s KEV catalog. The kernel‑level nature of the flaw means a successful exploit can lead to kernel memory corruption or a denial of service, which is a high‑risk event for unpatched systems.

Generated by OpenCVE AI on June 28, 2026 at 13:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a release that incorporates the xsk_skb_metadata() patch that caches csum_start and csum_offset locally.
  • If a kernel update is not possible, disable or restrict AF_XDP usage by removing the af_xdp kernel module or ensuring it is only loaded on trusted interfaces, thus preventing userspace from mapping the UMEM buffer.
  • Alternatively, disable XDP programs on affected interfaces or set xdp_mode to "skb" instead of transmit path from using the vulnerable function while still allowing packet reception.
  • Monitor kernel logs and audit events for out‑of‑bounds memory access indications (e.g., oops, panic, auditd logs) and enforce kernel protection mechanisms such as CONFIG_DEBUG_BUGON or page‑table isolation.

Generated by OpenCVE AI on June 28, 2026 at 13:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 00:45:00 +0000


Sun, 28 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CWE-362

Sun, 28 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CWE-362

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Thu, 25 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CWE-362

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: xsk: cache csum_start/csum_offset to fix TOCTOU in xsk_skb_metadata() The TX metadata area resides in the UMEM buffer which is memory-mapped and concurrently writable by userspace. In xsk_skb_metadata(), csum_start and csum_offset are read from shared memory for bounds validation, then read again for skb assignment. A malicious userspace application can race to overwrite these values between the two reads, bypassing the bounds check and causing out-of-bounds memory access during checksum computation in the transmit path. Fix this by reading csum_start and csum_offset into local variables once, then using the local copies for both validation and assignment. Note that other metadata fields (flags, launch_time) and the cached csum fields may be mutually inconsistent due to concurrent userspace writes, but this is benign: the only security-critical invariant is that each field's validated value is the same one used, which local caching guarantees.
Title xsk: cache csum_start/csum_offset to fix TOCTOU in xsk_skb_metadata()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:40:56.428Z

Reserved: 2026-06-09T07:44:35.394Z

Link: CVE-2026-53250

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53250 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T13:30:06Z

Weaknesses
  • CWE-125

    Out-of-bounds Read

  • CWE-362

    Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')