Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-53362

CVE-2026-53362: Linux Kernel Privilege Escalation Flaw

CVE-2026-53362 is a privilege escalation vulnerability in the Linux kernel's IPv6 implementation that allows unprivileged users to corrupt memory. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2026-53362 Overview

CVE-2026-53362 is an out-of-bounds write vulnerability in the Linux kernel's IPv6 networking stack. The flaw resides in the __ip6_append_data() function within the paged-allocation branch used for MSG_MORE, NETIF_F_SG, and large fragment length scenarios. When fraggap is non-zero, the linear socket buffer area is undersized while pagedlen is overstated by the same amount. The copy operation then writes past skb->end into the trailing skb_shared_info structure.

An unprivileged local user can trigger this memory corruption via a UDPv6 socket combining MSG_MORE with MSG_SPLICE_PAGES. The bug was introduced by commit 773ba4fe9104 ("ipv6: avoid partial copy for zc") and made reachable by commit ce650a166335.

Critical Impact

Unprivileged local users can corrupt kernel memory adjacent to socket buffers via crafted UDPv6 sendmsg calls, enabling potential privilege escalation or kernel panic.

Affected Products

  • Linux kernel versions containing commit 773ba4fe9104 ("ipv6: avoid partial copy for zc")
  • Linux kernel versions containing commit ce650a166335 ("udp6: Fix __ip6_append_data()'s handling of MSG_SPLICE_PAGES")
  • Downstream distributions shipping affected upstream stable kernels

Discovery Timeline

  • 2026-07-04 - CVE-2026-53362 published to NVD
  • 2026-07-04 - Last updated in NVD database

Technical Details for CVE-2026-53362

Vulnerability Analysis

The vulnerability exists in the IPv6 output path in __ip6_append_data(). When the paged-allocation branch is taken, alloclen and pagedlen are computed as alloclen = fragheaderlen + transhdrlen and pagedlen = datalen - transhdrlen. However, datalen already includes fraggap because datalen = length + fraggap.

When fraggap is non-zero, the current skb is not the first fragment and transhdrlen is zero. The fraggap bytes carried over from the previous skb are copied just past the fragment headers in the new skb's linear area. This makes the linear area undersized by fraggap bytes while pagedlen is overstated by the same amount.

The resulting write operation exceeds skb->end and corrupts the trailing skb_shared_info structure. This heap-adjacent corruption can be leveraged to overwrite critical kernel data structures, including fragment reference counts and destructor pointers.

Root Cause

The root cause is inconsistent fraggap accounting between the paged and non-paged allocation branches. The non-paged branch correctly sets alloclen to fraglen, which already accounts for fraggap through datalen. The paged branch omits this adjustment, producing a linear area that is fraggap bytes smaller than the amount of data written to it.

Attack Vector

An unprivileged local user opens a UDPv6 socket and issues sendmsg() calls combining MSG_MORE and MSG_SPLICE_PAGES flags. By crafting message sizes that force the paged-allocation branch while producing a non-zero fraggap on subsequent skbs, the attacker triggers the out-of-bounds write into skb_shared_info. No special capabilities or network position are required. See the upstream kernel fix for the corrected arithmetic.

Detection Methods for CVE-2026-53362

Indicators of Compromise

  • Kernel panics or BUG: messages referencing skb_shared_info corruption or slab out-of-bounds writes in __ip6_append_data
  • KASAN reports flagging out-of-bounds writes in the IPv6 output path when UDPv6 traffic uses MSG_SPLICE_PAGES
  • Unexpected process crashes or memory corruption traces originating from local processes using UDPv6 sockets with MSG_MORE

Detection Strategies

  • Enable KASAN (Kernel Address Sanitizer) on test and staging kernels to detect the out-of-bounds write at runtime
  • Audit installed kernel packages against distribution advisories referencing the fix commits 14200d4, 46f201f, 6374fb9, 65fb14c, 736b380, and e9eacf1
  • Monitor for local processes making unusual sendmsg() syscall patterns against UDPv6 sockets combining MSG_MORE and MSG_SPLICE_PAGES

Monitoring Recommendations

  • Collect kernel ring buffer output (dmesg) centrally and alert on oops, warning, or KASAN messages naming __ip6_append_data
  • Use auditd or eBPF-based telemetry to track sendmsg syscalls with MSG_SPLICE_PAGES on UDPv6 sockets from unprivileged users
  • Track kernel version inventory across the fleet and flag hosts running kernels that predate the fix commits

How to Mitigate CVE-2026-53362

Immediate Actions Required

  • Apply the stable kernel updates containing the fix commits listed in the NVD references and reboot affected hosts
  • Prioritize patching multi-tenant systems, container hosts, and shared workstations where unprivileged local users execute untrusted code
  • Rebuild and redeploy custom kernels that carry the offending commit 773ba4fe9104 without the corrective patch

Patch Information

The fix adds fraggap to alloclen and subtracts it from pagedlen in the paged branch, aligning it with the non-paged branch. The stale comment describing the old negative-copy arithmetic is removed, and the MSG_SPLICE_PAGES exception in the negative copy check is dropped. Fix commits are available at 14200d4, 46f201f, 6374fb9, 65fb14c, 736b380, and e9eacf1.

Workarounds

  • Restrict unprivileged user access on shared kernels until patches are applied, particularly on hosts running untrusted workloads
  • Disable IPv6 on systems that do not require it to eliminate the vulnerable code path via sysctl -w net.ipv6.conf.all.disable_ipv6=1
  • Consider seccomp profiles that restrict sendmsg flag combinations for untrusted processes where feasible
bash
# Verify running kernel and check for fix
uname -r

# Temporarily disable IPv6 if not required
sysctl -w net.ipv6.conf.all.disable_ipv6=1
sysctl -w net.ipv6.conf.default.disable_ipv6=1

# Persist the setting
echo 'net.ipv6.conf.all.disable_ipv6 = 1' >> /etc/sysctl.d/99-cve-2026-53362.conf
echo 'net.ipv6.conf.default.disable_ipv6 = 1' >> /etc/sysctl.d/99-cve-2026-53362.conf

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.