In the Linux kernel, the XDP socket metadata area used in the transmit path is memory‑mapped and user‑writable. The routine xsk_skb_metadata() performs a bounds check on the fields csum_start and csum_offset, then rereads them for skb assignment. This race permits a malicious userspace program to overwrite the values between the two reads, bypassing the bounds check and causing the kernel to compute a checksum against an address beyond the buffer's limits. The result is an out‑of‑bounds memory access that can corrupt kernel memory or crash the system. The flaw is a classic race condition (CWE‑362) that also introduces an out‑of‑bounds read (CWE‑125).

All installations of the Linux kernel that expose the af_xdp XDP socket interface to userspace are affected, provided the code has not been patched by the fix that caches xsk_skb_metadata()’s values locally. This includes any kernel version built from the official Linux source tree prior to the commit that introduced the isolation of csum_start and csum_offset, regardless of vendor distribution. The vulnerability is present in the default configuration of the kernel; no sub‑product designation is required, so system administrators should check whether their kernel has been updated beyond the release that includes the patch.

The vulnerability is a classic race condition, and the likely attack vector involves a local, userspace process that can create an AF_XDP socket and map the UMEM buffer. Because the UMEM buffer is writable by that process, it can race to modify csum_start and csum_offset before the kernel performs its bounds check. The EPSS score is not available and the issue is not listed in CISA’s KEV, but the kernel‑level nature of the flaw means a successful exploit can compromise system confidentiality, integrity, and availability. The absence of a CVSS score suggests the severity was not quantified publicly, but the potential for kernel memory corruption or denial of service indicates a high risk when the kernel is unpatched.