CVE-2026-53250
Received Received - Intake
Race Condition in Linux Kernel XSK TX Metadata Handling

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: xsk: cache csum_start/csum_offset to fix TOCTOU in xsk_skb_metadata() The TX metadata area resides in the UMEM buffer which is memory-mapped and concurrently writable by userspace. In xsk_skb_metadata(), csum_start and csum_offset are read from shared memory for bounds validation, then read again for skb assignment. A malicious userspace application can race to overwrite these values between the two reads, bypassing the bounds check and causing out-of-bounds memory access during checksum computation in the transmit path. Fix this by reading csum_start and csum_offset into local variables once, then using the local copies for both validation and assignment. Note that other metadata fields (flags, launch_time) and the cached csum fields may be mutually inconsistent due to concurrent userspace writes, but this is benign: the only security-critical invariant is that each field's validated value is the same one used, which local caching guarantees.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53250
EUVD
EUVD-2026-39201
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's xsk (AF_XDP) subsystem, specifically in the function xsk_skb_metadata(). The issue arises because the TX metadata area, which includes checksum start (csum_start) and checksum offset (csum_offset) values, is stored in a memory region that is shared and writable by userspace concurrently.

The vulnerability is a Time-Of-Check to Time-Of-Use (TOCTOU) race condition. The kernel reads csum_start and csum_offset twice: first to validate their bounds, and then again to assign them for checksum computation. A malicious userspace application can exploit the time gap between these two reads to change these values, bypassing the bounds check and causing out-of-bounds memory access during checksum calculation.

The fix involves caching the csum_start and csum_offset values into local variables immediately after the first read, and then using these cached values for both validation and assignment, preventing the race condition.

Impact Analysis

This vulnerability can allow a malicious userspace application to cause out-of-bounds memory access in the kernel during checksum computation in the transmit path. This could potentially lead to kernel crashes, memory corruption, or other unpredictable behavior, which may compromise system stability and security.

Mitigation Strategies

The vulnerability has been resolved by a fix in the Linux kernel that caches csum_start and csum_offset values locally to prevent a TOCTOU race condition in xsk_skb_metadata().

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53250. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart