CVE-2026-52943
Analyzed Analyzed - Analysis Complete

Use-After-Free in Linux Kernel skbuff

Vulnerability report for CVE-2026-52943, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-07-08

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: net: skbuff: fix missing zerocopy reference in pskb_carve helpers pskb_carve_inside_header() and pskb_carve_inside_nonlinear() both copy the old skb_shared_info header into a new buffer via memcpy(), which includes the destructor_arg pointer (uarg) for MSG_ZEROCOPY skbs. Neither function calls net_zcopy_get() for the new shinfo, creating an unaccounted holder: every skb_shared_info with destructor_arg set will call skb_zcopy_clear() once when freed, but the corresponding net_zcopy_get() was never called for the new copy. Repeated calls drive uarg->refcnt to zero prematurely, freeing ubuf_info_msgzc while TX skbs still hold live destructor_arg pointers. KASAN reports use-after-free on a freed ubuf_info_msgzc: BUG: KASAN: slab-use-after-free in skb_release_data+0x77b/0x810 Read of size 8 at addr ffff88801574d3e8 by task poc/220 Call Trace: skb_release_data+0x77b/0x810 kfree_skb_list_reason+0x13e/0x610 skb_release_data+0x4cd/0x810 sk_skb_reason_drop+0xf3/0x340 skb_queue_purge_reason+0x282/0x440 rds_tcp_inc_free+0x1e/0x30 rds_recvmsg+0x354/0x1780 __sys_recvmsg+0xdf/0x180 Allocated by task 219: msg_zerocopy_realloc+0x157/0x7b0 tcp_sendmsg_locked+0x2892/0x3ba0 Freed by task 219: ip_recv_error+0x74a/0xb10 tcp_recvmsg+0x475/0x530 The skb consuming the late access still referenced the same uarg via shinfo->destructor_arg copied by pskb_carve_inside_nonlinear() without a refcount bump. This has been verified to be reliably exploitable: a working proof-of-concept achieves full root privilege escalation from an unprivileged local user on a default kernel configuration. The fix follows the pattern of pskb_expand_head() which has the same memcpy/cloned structure. For pskb_carve_inside_header(), net_zcopy_get() is placed after skb_orphan_frags() succeeds, so the orphan error path needs no cleanup. For pskb_carve_inside_nonlinear(), net_zcopy_get() is placed after all failure points and just before skb_release_data(), so no error path needs cleanup at all -- matching pskb_expand_head() more closely and avoiding the need for a balancing net_zcopy_put().

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-07-08
Generated
2026-07-14
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 12 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 5.16 (inc) to 6.1.176 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.35 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.143 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.93 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.210 (exc)
linux linux_kernel 7.1
linux linux_kernel From 6.19 (inc) to 7.0.12 (exc)
linux linux_kernel From 4.7 (inc) to 5.10.259 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
CWE-911 The product uses a reference count to manage a resource, but it does not update or incorrectly updates the reference count.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's network stack, specifically in the skbuff (socket buffer) handling code. Two functions, pskb_carve_inside_header() and pskb_carve_inside_nonlinear(), copy the skb_shared_info header using memcpy(), which includes a pointer called destructor_arg used for zero-copy message skbs. However, these functions fail to call net_zcopy_get() to increment the reference count for the new copy of the shared info. This leads to a reference count being decremented prematurely, causing the underlying buffer (ubuf_info_msgzc) to be freed while still in use by transmit skbs.

This use-after-free condition is detected by KASAN (Kernel Address Sanitizer) and can be exploited reliably to achieve full root privilege escalation from an unprivileged local user on a default kernel configuration.

Impact Analysis

The vulnerability allows an unprivileged local user to escalate their privileges to full root access on a system running a vulnerable Linux kernel. This means an attacker could gain complete control over the affected system, potentially leading to unauthorized access, data theft, system compromise, and disruption of services.

Detection Guidance

This vulnerability involves a use-after-free bug in the Linux kernel's network skb (socket buffer) handling, specifically related to zerocopy references in pskb_carve helpers.

Detection can be attempted by monitoring kernel logs for KASAN (Kernel Address Sanitizer) reports indicating slab-use-after-free errors in skb_release_data or related functions.

Commands to check kernel logs for such errors include:

  • dmesg | grep -i kasan
  • journalctl -k | grep -i kasan

Additionally, monitoring for suspicious local privilege escalation attempts or unusual network socket behavior may help identify exploitation attempts.

Mitigation Strategies

The primary mitigation is to update the Linux kernel to a version where this vulnerability has been fixed.

Since the issue is a kernel-level use-after-free bug exploitable for local privilege escalation, immediate steps include:

  • Apply the vendor-provided kernel patch or upgrade to the fixed kernel version.
  • Restrict unprivileged local user access to the system until the patch is applied.
  • Monitor system logs for any signs of exploitation attempts.

No other specific workarounds or mitigations are described.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52943. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart