CVE-2026-53184 (GCVE-0-2026-53184)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:38 – Updated: 2026-06-28 06:39
VLAI
Title
udp: clear skb->dev before running a sockmap verdict
Summary
In the Linux kernel, the following vulnerability has been resolved:
udp: clear skb->dev before running a sockmap verdict
On the UDP receive path skb->dev is repurposed as dev_scratch (the
truesize/state cache set by udp_set_dev_scratch()), through the
union { struct net_device *dev; unsigned long dev_scratch; } in sk_buff.
When a UDP socket is in a sockmap, sk_data_ready is
sk_psock_verdict_data_ready(), which calls udp_read_skb() -> recv_actor()
(sk_psock_verdict_recv) to run the attached SK_SKB verdict program in softirq.
If that program calls a socket-lookup helper (bpf_sk_lookup_tcp/udp,
bpf_skc_lookup_tcp), bpf_skc_lookup() does:
if (skb->dev)
caller_net = dev_net(skb->dev);
skb->dev still holds the dev_scratch value (a non-NULL integer), so dev_net()
dereferences it as a struct net_device * and the kernel takes a general
protection fault on a non-canonical address in softirq:
Oops: general protection fault, probably for non-canonical address 0x1010000800004a0
CPU: 1 UID: 0 PID: 1406 Comm: syz.2.19 Not tainted 7.1.0-rc6 #1 PREEMPT(full)
RIP: 0010:bpf_skc_lookup net/core/filter.c:7033 [inline]
RIP: 0010:bpf_sk_lookup+0x45/0x160 net/core/filter.c:7047
Call Trace:
<IRQ>
bpf_prog_4675cb904b7071f8+0x12e/0x14e
bpf_prog_run_pin_on_cpu+0xc6/0x1f0
sk_psock_verdict_recv+0x1ba/0x350
udp_read_skb+0x31a/0x370
sk_psock_verdict_data_ready+0x2e3/0x600
__udp_enqueue_schedule_skb+0x4c8/0x650
udpv6_queue_rcv_one_skb+0x3ec/0x740
udp6_unicast_rcv_skb+0x11d/0x140
ip6_protocol_deliver_rcu+0x61e/0x950
ip6_input_finish+0xa9/0x150
NF_HOOK+0x286/0x2f0
ip6_input+0x117/0x220
NF_HOOK+0x286/0x2f0
__netif_receive_skb+0x85/0x200
process_backlog+0x374/0x9a0
__napi_poll+0x4f/0x1c0
net_rx_action+0x3b0/0x770
handle_softirqs+0x15a/0x460
do_softirq+0x57/0x80
</IRQ>
The rmem charge that dev_scratch accounted for is released by skb_recv_udp() on
dequeue, just above, so the scratch is dead by the time recv_actor() runs. Clear
skb->dev so bpf_skc_lookup() falls back to sock_net(skb->sk), which
skb_set_owner_sk_safe() set just above.
Severity
7.5 (High)
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
965b57b469a589d64d81b1688b38dcb537011bb0 , < 263779a6beff03b8b06f6d25566cb0f45af361f2
(git)
Affected: 965b57b469a589d64d81b1688b38dcb537011bb0 , < 1b585673a2249f13678e7ac443ac683ba767e0b6 (git) Affected: 965b57b469a589d64d81b1688b38dcb537011bb0 , < 90d35188aaa92b8f8b23f66335e0e91bf60103a3 (git) Affected: 965b57b469a589d64d81b1688b38dcb537011bb0 , < 6822eed69572000a181fa4e31fceacc60918c471 (git) Affected: 965b57b469a589d64d81b1688b38dcb537011bb0 , < 7d6d92d000ebe3a845a17c165c1d3a70c5d84fe1 (git) Affected: 965b57b469a589d64d81b1688b38dcb537011bb0 , < 3c94f241f776562c489876ff506f366224565c21 (git) |
|
| Linux | Linux |
Affected:
6.0
Unaffected: 0 , < 6.0 (semver) Unaffected: 6.1.176 , ≤ 6.1.* (semver) Unaffected: 6.6.143 , ≤ 6.6.* (semver) Unaffected: 6.12.94 , ≤ 6.12.* (semver) Unaffected: 6.18.36 , ≤ 6.18.* (semver) Unaffected: 7.0.13 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/udp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "263779a6beff03b8b06f6d25566cb0f45af361f2",
"status": "affected",
"version": "965b57b469a589d64d81b1688b38dcb537011bb0",
"versionType": "git"
},
{
"lessThan": "1b585673a2249f13678e7ac443ac683ba767e0b6",
"status": "affected",
"version": "965b57b469a589d64d81b1688b38dcb537011bb0",
"versionType": "git"
},
{
"lessThan": "90d35188aaa92b8f8b23f66335e0e91bf60103a3",
"status": "affected",
"version": "965b57b469a589d64d81b1688b38dcb537011bb0",
"versionType": "git"
},
{
"lessThan": "6822eed69572000a181fa4e31fceacc60918c471",
"status": "affected",
"version": "965b57b469a589d64d81b1688b38dcb537011bb0",
"versionType": "git"
},
{
"lessThan": "7d6d92d000ebe3a845a17c165c1d3a70c5d84fe1",
"status": "affected",
"version": "965b57b469a589d64d81b1688b38dcb537011bb0",
"versionType": "git"
},
{
"lessThan": "3c94f241f776562c489876ff506f366224565c21",
"status": "affected",
"version": "965b57b469a589d64d81b1688b38dcb537011bb0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/udp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp: clear skb-\u003edev before running a sockmap verdict\n\nOn the UDP receive path skb-\u003edev is repurposed as dev_scratch (the\ntruesize/state cache set by udp_set_dev_scratch()), through the\nunion { struct net_device *dev; unsigned long dev_scratch; } in sk_buff.\n\nWhen a UDP socket is in a sockmap, sk_data_ready is\nsk_psock_verdict_data_ready(), which calls udp_read_skb() -\u003e recv_actor()\n(sk_psock_verdict_recv) to run the attached SK_SKB verdict program in softirq.\nIf that program calls a socket-lookup helper (bpf_sk_lookup_tcp/udp,\nbpf_skc_lookup_tcp), bpf_skc_lookup() does:\n\n\tif (skb-\u003edev)\n\t\tcaller_net = dev_net(skb-\u003edev);\n\nskb-\u003edev still holds the dev_scratch value (a non-NULL integer), so dev_net()\ndereferences it as a struct net_device * and the kernel takes a general\nprotection fault on a non-canonical address in softirq:\n\n Oops: general protection fault, probably for non-canonical address 0x1010000800004a0\n CPU: 1 UID: 0 PID: 1406 Comm: syz.2.19 Not tainted 7.1.0-rc6 #1 PREEMPT(full)\n RIP: 0010:bpf_skc_lookup net/core/filter.c:7033 [inline]\n RIP: 0010:bpf_sk_lookup+0x45/0x160 net/core/filter.c:7047\n Call Trace:\n \u003cIRQ\u003e\n bpf_prog_4675cb904b7071f8+0x12e/0x14e\n bpf_prog_run_pin_on_cpu+0xc6/0x1f0\n sk_psock_verdict_recv+0x1ba/0x350\n udp_read_skb+0x31a/0x370\n sk_psock_verdict_data_ready+0x2e3/0x600\n __udp_enqueue_schedule_skb+0x4c8/0x650\n udpv6_queue_rcv_one_skb+0x3ec/0x740\n udp6_unicast_rcv_skb+0x11d/0x140\n ip6_protocol_deliver_rcu+0x61e/0x950\n ip6_input_finish+0xa9/0x150\n NF_HOOK+0x286/0x2f0\n ip6_input+0x117/0x220\n NF_HOOK+0x286/0x2f0\n __netif_receive_skb+0x85/0x200\n process_backlog+0x374/0x9a0\n __napi_poll+0x4f/0x1c0\n net_rx_action+0x3b0/0x770\n handle_softirqs+0x15a/0x460\n do_softirq+0x57/0x80\n \u003c/IRQ\u003e\n\nThe rmem charge that dev_scratch accounted for is released by skb_recv_udp() on\ndequeue, just above, so the scratch is dead by the time recv_actor() runs. Clear\nskb-\u003edev so bpf_skc_lookup() falls back to sock_net(skb-\u003esk), which\nskb_set_owner_sk_safe() set just above."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T06:39:58.363Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/263779a6beff03b8b06f6d25566cb0f45af361f2"
},
{
"url": "https://git.kernel.org/stable/c/1b585673a2249f13678e7ac443ac683ba767e0b6"
},
{
"url": "https://git.kernel.org/stable/c/90d35188aaa92b8f8b23f66335e0e91bf60103a3"
},
{
"url": "https://git.kernel.org/stable/c/6822eed69572000a181fa4e31fceacc60918c471"
},
{
"url": "https://git.kernel.org/stable/c/7d6d92d000ebe3a845a17c165c1d3a70c5d84fe1"
},
{
"url": "https://git.kernel.org/stable/c/3c94f241f776562c489876ff506f366224565c21"
}
],
"title": "udp: clear skb-\u003edev before running a sockmap verdict",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53184",
"datePublished": "2026-06-25T08:38:58.189Z",
"dateReserved": "2026-06-09T07:44:35.390Z",
"dateUpdated": "2026-06-28T06:39:58.363Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-53184",
"date": "2026-06-30",
"epss": "0.00506",
"percentile": "0.39373"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-53184\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-06-25T09:16:35.800\",\"lastModified\":\"2026-06-30T14:44:27.313\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nudp: clear skb-\u003edev before running a sockmap verdict\\n\\nOn the UDP receive path skb-\u003edev is repurposed as dev_scratch (the\\ntruesize/state cache set by udp_set_dev_scratch()), through the\\nunion { struct net_device *dev; unsigned long dev_scratch; } in sk_buff.\\n\\nWhen a UDP socket is in a sockmap, sk_data_ready is\\nsk_psock_verdict_data_ready(), which calls udp_read_skb() -\u003e recv_actor()\\n(sk_psock_verdict_recv) to run the attached SK_SKB verdict program in softirq.\\nIf that program calls a socket-lookup helper (bpf_sk_lookup_tcp/udp,\\nbpf_skc_lookup_tcp), bpf_skc_lookup() does:\\n\\n\\tif (skb-\u003edev)\\n\\t\\tcaller_net = dev_net(skb-\u003edev);\\n\\nskb-\u003edev still holds the dev_scratch value (a non-NULL integer), so dev_net()\\ndereferences it as a struct net_device * and the kernel takes a general\\nprotection fault on a non-canonical address in softirq:\\n\\n Oops: general protection fault, probably for non-canonical address 0x1010000800004a0\\n CPU: 1 UID: 0 PID: 1406 Comm: syz.2.19 Not tainted 7.1.0-rc6 #1 PREEMPT(full)\\n RIP: 0010:bpf_skc_lookup net/core/filter.c:7033 [inline]\\n RIP: 0010:bpf_sk_lookup+0x45/0x160 net/core/filter.c:7047\\n Call Trace:\\n \u003cIRQ\u003e\\n bpf_prog_4675cb904b7071f8+0x12e/0x14e\\n bpf_prog_run_pin_on_cpu+0xc6/0x1f0\\n sk_psock_verdict_recv+0x1ba/0x350\\n udp_read_skb+0x31a/0x370\\n sk_psock_verdict_data_ready+0x2e3/0x600\\n __udp_enqueue_schedule_skb+0x4c8/0x650\\n udpv6_queue_rcv_one_skb+0x3ec/0x740\\n udp6_unicast_rcv_skb+0x11d/0x140\\n ip6_protocol_deliver_rcu+0x61e/0x950\\n ip6_input_finish+0xa9/0x150\\n NF_HOOK+0x286/0x2f0\\n ip6_input+0x117/0x220\\n NF_HOOK+0x286/0x2f0\\n __netif_receive_skb+0x85/0x200\\n process_backlog+0x374/0x9a0\\n __napi_poll+0x4f/0x1c0\\n net_rx_action+0x3b0/0x770\\n handle_softirqs+0x15a/0x460\\n do_softirq+0x57/0x80\\n \u003c/IRQ\u003e\\n\\nThe rmem charge that dev_scratch accounted for is released by skb_recv_udp() on\\ndequeue, just above, so the scratch is dead by the time recv_actor() runs. Clear\\nskb-\u003edev so bpf_skc_lookup() falls back to sock_net(skb-\u003esk), which\\nskb_set_owner_sk_safe() set just above.\"}],\"affected\":[{\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"affectedData\":[{\"vendor\":\"Linux\",\"product\":\"Linux\",\"defaultStatus\":\"unaffected\",\"programFiles\":[\"net/ipv4/udp.c\"],\"repo\":\"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\",\"versions\":[{\"version\":\"965b57b469a589d64d81b1688b38dcb537011bb0\",\"lessThan\":\"263779a6beff03b8b06f6d25566cb0f45af361f2\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"965b57b469a589d64d81b1688b38dcb537011bb0\",\"lessThan\":\"1b585673a2249f13678e7ac443ac683ba767e0b6\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"965b57b469a589d64d81b1688b38dcb537011bb0\",\"lessThan\":\"90d35188aaa92b8f8b23f66335e0e91bf60103a3\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"965b57b469a589d64d81b1688b38dcb537011bb0\",\"lessThan\":\"6822eed69572000a181fa4e31fceacc60918c471\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"965b57b469a589d64d81b1688b38dcb537011bb0\",\"lessThan\":\"7d6d92d000ebe3a845a17c165c1d3a70c5d84fe1\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"965b57b469a589d64d81b1688b38dcb537011bb0\",\"lessThan\":\"3c94f241f776562c489876ff506f366224565c21\",\"versionType\":\"git\",\"status\":\"affected\"}]},{\"vendor\":\"Linux\",\"product\":\"Linux\",\"defaultStatus\":\"affected\",\"programFiles\":[\"net/ipv4/udp.c\"],\"repo\":\"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\",\"versions\":[{\"version\":\"6.0\",\"status\":\"affected\"},{\"version\":\"0\",\"lessThan\":\"6.0\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.1.176\",\"lessThanOrEqual\":\"6.1.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.6.143\",\"lessThanOrEqual\":\"6.6.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.12.94\",\"lessThanOrEqual\":\"6.12.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.18.36\",\"lessThanOrEqual\":\"6.18.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"7.0.13\",\"lessThanOrEqual\":\"7.0.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"7.1\",\"lessThanOrEqual\":\"*\",\"versionType\":\"original_commit_for_fix\",\"status\":\"unaffected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1b585673a2249f13678e7ac443ac683ba767e0b6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/263779a6beff03b8b06f6d25566cb0f45af361f2\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/3c94f241f776562c489876ff506f366224565c21\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6822eed69572000a181fa4e31fceacc60918c471\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/7d6d92d000ebe3a845a17c165c1d3a70c5d84fe1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/90d35188aaa92b8f8b23f66335e0e91bf60103a3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…