CVE-2026-53366 Overview
CVE-2026-53366 is a Linux kernel vulnerability in the IPv4 networking stack. The flaw resides in the __ip_append_data() function, which mishandles the fraggap accounting on the paged allocation path. When the paged-allocation branch executes, the linear area of the newly allocated socket buffer (skb) is undersized by fraggap bytes, while pagedlen is overstated by the same amount. This mismatch causes incorrect fragmentation arithmetic during IPv4 packet construction. The upstream fix aligns the paged branch with the non-paged branch by adding fraggap to alloclen and subtracting it from pagedlen.
Critical Impact
The kernel copies fraggap bytes into an undersized linear buffer, producing memory corruption or malformed IPv4 fragments on the paged-allocation path.
Affected Products
- Linux kernel (upstream, mainline)
- Linux kernel stable branches receiving the referenced backports
- Distributions shipping affected kernels prior to the linked stable commits
Discovery Timeline
- 2026-07-16 - CVE-2026-53366 published to NVD
- 2026-07-16 - Last updated in NVD database
Technical Details for CVE-2026-53366
Vulnerability Analysis
The vulnerability affects __ip_append_data() in the Linux kernel IPv4 stack. On the paged-allocation branch, the function computes:
- alloclen = fragheaderlen + transhdrlen;
- pagedlen = datalen - transhdrlen;
The value datalen already includes fraggap, which represents bytes carried over from the previous skb. Those fraggap bytes are subsequently written into the new skb's linear area at offset transhdrlen by skb_copy_and_csum_bits(). Because alloclen never adds fraggap, the linear area is too small to accommodate the copy, and pagedlen is inflated by the same amount.
The non-paged branch does not suffer from this bug because it sets alloclen to fraglen, which already accounts for fraggap through datalen. The fix brings the paged branch into parity by explicitly adding fraggap to alloclen and subtracting it from pagedlen, and it removes the stale comment describing the prior arithmetic.
Root Cause
The root cause is inconsistent accounting of the fraggap value between the paged and non-paged allocation branches of __ip_append_data(). The paged branch omits fraggap from the linear allocation size while still copying fraggap bytes into that linear region, producing an out-of-bounds write condition within the skb structure.
Attack Vector
The issue is reachable through the IPv4 send path when fragmentation is required and the paged-allocation branch is selected. Local processes constructing IPv4 datagrams that trigger fragmentation with a non-zero fraggap can drive the kernel into this state. Public exploitation details, exploit code, and CISA KEV listing are not currently available for CVE-2026-53366.
No verified proof-of-concept code has been published. Refer to the upstream commits for the exact code-level changes.
Detection Methods for CVE-2026-53366
Indicators of Compromise
- Unexpected kernel warnings, skb corruption messages, or KASAN out-of-bounds reports referencing __ip_append_data or skb_copy_and_csum_bits.
- Malformed outbound IPv4 fragments observed on the wire that do not match the sending application's payload.
- Sporadic kernel panics or soft lockups originating in the IPv4 output path on affected kernel versions.
Detection Strategies
- Inventory running kernel versions across Linux fleets and cross-reference against the stable commits 77798d7, a9c24ed, c04d9ec, ce49470, and eca8569.
- Enable KASAN on test kernels to surface out-of-bounds writes within skb linear buffers during IPv4 fragmentation workloads.
- Monitor kernel ring buffer output (dmesg) for repeated network-stack warnings on hosts handling fragmented IPv4 traffic.
Monitoring Recommendations
- Collect kernel logs centrally and alert on network-stack traces referencing IPv4 output functions.
- Track packet capture anomalies on egress interfaces, particularly malformed IPv4 fragments from Linux hosts.
- Correlate kernel version telemetry with patch status to identify unremediated systems handling untrusted network workloads.
How to Mitigate CVE-2026-53366
Immediate Actions Required
- Identify all Linux systems running kernels predating the referenced stable fixes and prioritize hosts exposed to fragmented IPv4 traffic.
- Apply the vendor-supplied kernel update from your Linux distribution as soon as it is available.
- Reboot affected systems after patch installation to load the corrected kernel image.
Patch Information
The fix is available in the following upstream stable commits:
- Kernel Git Commit 77798d7
- Kernel Git Commit a9c24ed
- Kernel Git Commit c04d9ec
- Kernel Git Commit ce49470
- Kernel Git Commit eca8569
The patch adjusts alloclen and pagedlen in __ip_append_data() so the paged-allocation branch accounts for fraggap consistently with the non-paged branch.
Workarounds
- No official workaround has been published; applying the upstream kernel patch is the recommended remediation.
- Where patching is delayed, restrict local access on multi-tenant hosts to limit reachability of the IPv4 send path from untrusted users.
- Reduce exposure to attacker-influenced IPv4 fragmentation by enforcing MTU consistency and filtering unusual fragment patterns at network boundaries.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

