CVE-2026-53151
rxrpc: Fix the ACK parser to extract the SACK table for parsing
Vexday Risk Score
28Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 9.8EPSS 0.5%KEV nãoPoC —Nuclei —Metasploit —Patch —
Ciclo de vida
25 jun 2026Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: Fix the ACK parser to extract the SACK table for parsing
Fix modification of the received skbuff in rxrpc_input_soft_acks() and a
potential incorrect access of the buffer in a fragmented UDP packet (the
packet would probably have to be deliberately pre-generated as fragmented)
when AF_RXRPC tries to extract the contents of the SACK table by copying
out the contents of the SACK table into a buffer before attempting to parse
AF_RXRPC assumes that it can just call skb_condense() and then validly
access the SACK table from skb->data and that it will be a flat buffer -
but skb_condense() can silently fail to do anything under some
circumstances.
Note that whilst rxrpc_input_soft_acks() should be able to parse extended
ACKs, the rest of AF_RXRPC doesn't currently support that.
Further, there's then no need to call skb_condense() in rxrpc_input_ack(),
so don't.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Productos afectados
Linux · LinuxReferencias
https://git.kernel.org/stable/c/224298450be5c04d2a6ea1c2a94669d7ebf65d00https://git.kernel.org/stable/c/333b6d5bb9f87827ac2639c737bf9613dbae7253https://git.kernel.org/stable/c/566c4c1244de50fbff1f89ff93c9d7b0fc256db4https://git.kernel.org/stable/c/5d1ae4e17a3ecd8561cdb4f4f70152f41039c4e1https://git.kernel.org/stable/c/775c5e89272a2615b72bb84f611ba66fa3b7493e