CVE-2026-53223
Received Received - Intake
Linux Kernel Timestamping Information Disclosure

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net: guard timestamp cmsgs to real error queue skbs skb_is_err_queue() treats PACKET_OUTGOING as the sole marker for an skb from sk_error_queue. That assumption is not true for AF_PACKET sockets: outgoing packet taps are also delivered to packet sockets with skb->pkt_type == PACKET_OUTGOING, but their skb->cb is owned by AF_PACKET instead of struct sock_exterr_skb. If such an skb is received with timestamping enabled, the generic timestamp cmsg path can read AF_PACKET control-buffer state as sock_exterr_skb::opt_stats. With SO_RXQ_OVFL enabled, the packet drop counter overlaps opt_stats. An odd drop count makes the path emit SCM_TIMESTAMPING_OPT_STATS with skb->len and skb->data. For non-linear skbs this copies past the linear head and can trigger hardened usercopy or disclose adjacent heap contents. Keep skb_is_err_queue() local to net/socket.c, but make it verify that the PACKET_OUTGOING marker is paired with the sock_rmem_free destructor installed by sock_queue_err_skb(). AF_PACKET receive skbs use normal receive ownership and no longer pass as error-queue skbs, while legitimate sk_error_queue entries keep the PACKET_OUTGOING marker and sock_rmem_free ownership.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53223
EUVD
EUVD-2026-39314
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux_kernel linux_kernel *
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's network stack related to how timestamp control messages (cmsgs) are handled for certain packet types. Specifically, the function skb_is_err_queue() incorrectly assumes that the PACKET_OUTGOING marker uniquely identifies error queue socket buffers (skbs). However, for AF_PACKET sockets, outgoing packet taps also have the PACKET_OUTGOING marker but their control buffer is owned differently. When timestamping is enabled, this can cause the kernel to misinterpret control buffer data, leading to the emission of incorrect timestamping information that can copy data beyond intended boundaries. This may trigger security mechanisms or potentially disclose adjacent heap memory contents.

Impact Analysis

The vulnerability can lead to unintended disclosure of adjacent heap memory contents to user space, which may include sensitive information. It can also trigger hardened usercopy protections, potentially causing application crashes or denial of service. This means an attacker or a malicious user could exploit this flaw to gain access to memory data they should not have, impacting system confidentiality and stability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53223. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart