CVE-2026-53223 Overview
CVE-2026-53223 is a Linux kernel vulnerability in the networking stack involving incorrect classification of socket buffers (skb) on the error queue path. The skb_is_err_queue() helper assumed PACKET_OUTGOING was sufficient to identify an skb originating from sk_error_queue. This assumption breaks for AF_PACKET sockets, where outgoing packet taps share the same marker but carry different control-buffer ownership. The timestamp control message (cmsg) path could then misinterpret AF_PACKET state as sock_exterr_skb metadata. With SO_RXQ_OVFL enabled, this leads to emission of SCM_TIMESTAMPING_OPT_STATS using non-linear skb data, potentially copying past the linear head.
Critical Impact
A local user with packet socket access can trigger an out-of-bounds read that may disclose adjacent kernel heap contents or trip hardened usercopy checks, causing kernel information leakage or denial of service.
Affected Products
- Linux kernel networking subsystem (net/socket.c, AF_PACKET path)
- Multiple stable kernel branches receiving the backport (commits 1ee90b7, 24a0d54, 3dde4fb, 71ff5cd, ad9a037, b903e9b, e0665b2, eb51a9a)
- Linux distributions shipping unpatched stable kernels
Discovery Timeline
- 2026-06-25 - CVE-2026-53223 published to NVD
- 2026-06-25 - Last updated in NVD database
Technical Details for CVE-2026-53223
Vulnerability Analysis
The defect lives in the generic timestamp cmsg handling path in the Linux kernel socket layer. The helper skb_is_err_queue() checked only skb->pkt_type == PACKET_OUTGOING to decide whether an skb came from sk_error_queue. AF_PACKET sockets receive outgoing taps tagged with the same PACKET_OUTGOING marker, but their skb->cb is owned by AF_PACKET rather than by struct sock_exterr_skb. When a timestamping-enabled receiver consumed such an skb, the kernel treated AF_PACKET control-buffer bytes as sock_exterr_skb::opt_stats.
With SO_RXQ_OVFL enabled, the receive-queue overflow counter overlaps the misinterpreted opt_stats field. An odd drop counter value caused the kernel to emit SCM_TIMESTAMPING_OPT_STATS using skb->len and skb->data. For non-linear skbs, this read extended past the linear head, either tripping hardened usercopy mitigations or leaking adjacent heap memory to userspace.
Root Cause
The root cause is an insufficient discriminator in skb_is_err_queue(). PACKET_OUTGOING is a shared marker across two distinct skb ownership models, so relying on it alone produced a type-confusion-like condition between sock_exterr_skb and AF_PACKET control buffers. This is classified as an out-of-bounds read with information disclosure consequences.
Attack Vector
A local attacker opens an AF_PACKET socket, enables SO_TIMESTAMPING and SO_RXQ_OVFL, and arranges for a non-linear outgoing skb to be delivered as a tap. By influencing the overflow drop counter to an odd value, the attacker forces the kernel into the SCM_TIMESTAMPING_OPT_STATS emission path, which reads beyond the linear skb head. Exploitation does not require elevated privileges beyond the capabilities required to open a packet socket on the target system.
No public exploitation code is available in the references for this CVE. See the upstream patch commits for the technical fix details.
Detection Methods for CVE-2026-53223
Indicators of Compromise
- Kernel log entries from hardened usercopy (usercopy:) reporting reads exceeding the linear skb head in the socket cmsg path
- Unexpected process crashes or SIGBUS/SIGSEGV in userspace tools consuming SCM_TIMESTAMPING_OPT_STATS cmsgs
- Anomalous use of AF_PACKET sockets combined with SO_TIMESTAMPING and SO_RXQ_OVFL from non-privileged or unexpected processes
Detection Strategies
- Monitor for processes invoking socket(AF_PACKET, ...) paired with setsockopt calls for SO_TIMESTAMPING and SO_RXQ_OVFL on production hosts that do not normally perform packet capture
- Audit kernel ring buffer (dmesg) for hardened usercopy violations originating in net/socket.c
- Track running kernel versions against the fixed stable releases referenced in the upstream commits
Monitoring Recommendations
- Enable auditd rules for socket and setsockopt syscalls with AF_PACKET family to identify unusual local actors
- Correlate kernel oops and usercopy warnings with the originating process and binary path
- Track kernel package versions across the fleet to confirm patch deployment status
How to Mitigate CVE-2026-53223
Immediate Actions Required
- Apply the upstream stable kernel updates that include commits 1ee90b7, 24a0d54, 3dde4fb, 71ff5cd, ad9a037, b903e9b, e0665b2, and eb51a9a
- Restrict CAP_NET_RAW and packet socket access to required service accounts only
- Audit systems for unprivileged users or containers granted packet socket capabilities
Patch Information
The upstream fix keeps skb_is_err_queue() local to net/socket.c and additionally verifies that the PACKET_OUTGOING marker is paired with the sock_rmem_free destructor installed by sock_queue_err_skb(). AF_PACKET receive skbs use normal receive ownership and therefore no longer satisfy the error-queue test, while legitimate sk_error_queue entries retain both the PACKET_OUTGOING marker and sock_rmem_free ownership. Refer to the Kernel Git Commit 1ee90b7 and the additional stable backports linked from the NVD entry.
Workarounds
- Drop CAP_NET_RAW from container profiles and seccomp policies that do not require packet socket creation
- Disable or restrict SO_TIMESTAMPING and SO_RXQ_OVFL usage in untrusted workloads where feasible
- Apply Linux Security Module policies (SELinux, AppArmor) restricting packet_socket access to known service binaries
# Identify processes currently holding AF_PACKET sockets
ss -0 -p -a
# Inspect granted capabilities on a running container or process
getpcaps <pid>
# Remove CAP_NET_RAW from a Docker container at runtime configuration
docker run --cap-drop=NET_RAW <image>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

