CVE-2026-23331
Received Received - Intake
UDP Socket Hash Table Inconsistency in Linux Kernel Causes Resource Leak

Publication date: 2026-03-25

Last updated on: 2026-04-23

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: udp: Unhash auto-bound connected sk from 4-tuple hash table when disconnected. Let's say we bind() an UDP socket to the wildcard address with a non-zero port, connect() it to an address, and disconnect it from the address. bind() sets SOCK_BINDPORT_LOCK on sk->sk_userlocks (but not SOCK_BINDADDR_LOCK), and connect() calls udp_lib_hash4() to put the socket into the 4-tuple hash table. Then, __udp_disconnect() calls sk->sk_prot->rehash(sk). It computes a new hash based on the wildcard address and moves the socket to a new slot in the 4-tuple hash table, leaving a garbage in the chain that no packet hits. Let's remove such a socket from 4-tuple hash table when disconnected. Note that udp_sk(sk)->udp_portaddr_hash needs to be udpated after udp_hash4_dec(hslot2) in udp_unhash4().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-04-23
Generated
2026-05-07
AI Q&A
2026-03-25
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23331
EUVD
EUVD-2026-15289
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.13
linux linux_kernel From 6.19 (inc) to 6.19.7 (exc)
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13.1 (inc) to 6.18.17 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability involves the Linux kernel's handling of UDP sockets in the 4-tuple hash table. When a UDP socket is bound to a wildcard address with a non-zero port, connected to an address, and then disconnected, the socket is not properly removed from the hash table. Specifically, after disconnecting, the socket is rehashed and moved to a new slot, leaving behind garbage entries in the hash chain that do not correspond to any active socket.

The issue arises because the socket remains in the 4-tuple hash table even after disconnection, which can cause stale or invalid entries. The fix involves removing such sockets from the hash table upon disconnection and updating the relevant hash data structures accordingly.


How can this vulnerability impact me? :

The vulnerability can lead to stale or garbage entries in the UDP socket hash table, which may cause unexpected behavior in the kernel's network stack. This could potentially affect network performance or reliability by causing inefficient socket lookups or resource leaks.

However, the provided information does not specify any direct security impact such as privilege escalation, denial of service, or data leakage.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart