CVE-2026-53250
Analyzed Analyzed - Analysis Complete

Race Condition in Linux Kernel XSK TX Metadata Handling

Vulnerability report for CVE-2026-53250, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-25

Last updated on: 2026-07-08

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: xsk: cache csum_start/csum_offset to fix TOCTOU in xsk_skb_metadata() The TX metadata area resides in the UMEM buffer which is memory-mapped and concurrently writable by userspace. In xsk_skb_metadata(), csum_start and csum_offset are read from shared memory for bounds validation, then read again for skb assignment. A malicious userspace application can race to overwrite these values between the two reads, bypassing the bounds check and causing out-of-bounds memory access during checksum computation in the transmit path. Fix this by reading csum_start and csum_offset into local variables once, then using the local copies for both validation and assignment. Note that other metadata fields (flags, launch_time) and the cached csum fields may be mutually inconsistent due to concurrent userspace writes, but this is benign: the only security-critical invariant is that each field's validated value is the same one used, which local caching guarantees.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-25
Last Modified
2026-07-08
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-14
NVD
EUVD

Affected Vendors & Products

Showing 8 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 6.19 (inc) to 7.0.13 (exc)
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 6.8 (inc) to 6.18.36 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's xsk (AF_XDP) subsystem, specifically in the function xsk_skb_metadata(). The issue arises because the TX metadata area, which includes checksum start (csum_start) and checksum offset (csum_offset) values, is stored in a memory region that is shared and writable by userspace concurrently.

The vulnerability is a Time-Of-Check to Time-Of-Use (TOCTOU) race condition. The kernel reads csum_start and csum_offset twice: first to validate their bounds, and then again to assign them for checksum computation. A malicious userspace application can exploit the time gap between these two reads to change these values, bypassing the bounds check and causing out-of-bounds memory access during checksum calculation.

The fix involves caching the csum_start and csum_offset values into local variables immediately after the first read, and then using these cached values for both validation and assignment, preventing the race condition.

Impact Analysis

This vulnerability can allow a malicious userspace application to cause out-of-bounds memory access in the kernel during checksum computation in the transmit path. This could potentially lead to kernel crashes, memory corruption, or other unpredictable behavior, which may compromise system stability and security.

Mitigation Strategies

The vulnerability has been resolved by a fix in the Linux kernel that caches csum_start and csum_offset values locally to prevent a TOCTOU race condition in xsk_skb_metadata().

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53250. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart