CVE-2026-53366 (GCVE-0-2026-53366)

Vulnerability from cvelistv5 – Published: 2026-07-16 05:13 – Updated: 2026-07-16 05:13
VLAI
Title
ipv4: account for fraggap on the paged allocation path
Summary
In the Linux kernel, the following vulnerability has been resolved: ipv4: account for fraggap on the paged allocation path In __ip_append_data(), when the paged-allocation branch is taken, alloclen and pagedlen are computed as alloclen = fragheaderlen + transhdrlen; pagedlen = datalen - transhdrlen; datalen already includes fraggap, but the fraggap bytes carried over from the previous skb are copied into the new skb's linear area at offset transhdrlen by the subsequent skb_copy_and_csum_bits(). The linear area is therefore undersized by fraggap bytes while pagedlen is overstated by the same amount. The non-paged branch sets alloclen to fraglen, which already accounts for fraggap because datalen does. Bring the paged branch in line by adding fraggap to alloclen and subtracting it from pagedlen. After this adjustment, copy no longer collapses to -fraggap on the paged path, so remove the stale comment describing that old arithmetic.
Severity
No CVSS data available.
Assigner
Impacted products
Vendor Product Version
Linux Linux Affected: 8eb77cc73977d88787b37c92831b1c242e035396 , < ce494707a9c07f27c219ca67f3e138061f53d9b3 (git)
Affected: 8eb77cc73977d88787b37c92831b1c242e035396 , < a9c24eda24bd15f432e37824e6fc440977cb241c (git)
Affected: 8eb77cc73977d88787b37c92831b1c242e035396 , < 77798d7be6ef71e72fb6fc8a2901bf74ebc9706f (git)
Affected: 8eb77cc73977d88787b37c92831b1c242e035396 , < c04d9ece23deb9e26c19f9ca215e98b3295aa1bb (git)
Affected: 8eb77cc73977d88787b37c92831b1c242e035396 , < eca856950f7cb1a221e02b99d758409f2c5cec42 (git)
Create a notification for this product.
Linux Linux Affected: 6.0
Unaffected: 0 , < 6.0 (semver)
Unaffected: 6.6.144 , ≤ 6.6.* (semver)
Unaffected: 6.12.95 , ≤ 6.12.* (semver)
Unaffected: 6.18.38 , ≤ 6.18.* (semver)
Unaffected: 7.1.3 , ≤ 7.1.* (semver)
Unaffected: 7.2-rc1 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/ip_output.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ce494707a9c07f27c219ca67f3e138061f53d9b3",
              "status": "affected",
              "version": "8eb77cc73977d88787b37c92831b1c242e035396",
              "versionType": "git"
            },
            {
              "lessThan": "a9c24eda24bd15f432e37824e6fc440977cb241c",
              "status": "affected",
              "version": "8eb77cc73977d88787b37c92831b1c242e035396",
              "versionType": "git"
            },
            {
              "lessThan": "77798d7be6ef71e72fb6fc8a2901bf74ebc9706f",
              "status": "affected",
              "version": "8eb77cc73977d88787b37c92831b1c242e035396",
              "versionType": "git"
            },
            {
              "lessThan": "c04d9ece23deb9e26c19f9ca215e98b3295aa1bb",
              "status": "affected",
              "version": "8eb77cc73977d88787b37c92831b1c242e035396",
              "versionType": "git"
            },
            {
              "lessThan": "eca856950f7cb1a221e02b99d758409f2c5cec42",
              "status": "affected",
              "version": "8eb77cc73977d88787b37c92831b1c242e035396",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/ip_output.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.0"
            },
            {
              "lessThan": "6.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.144",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.38",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.1.*",
              "status": "unaffected",
              "version": "7.1.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.2-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.144",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.95",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.38",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1.3",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.2-rc1",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: account for fraggap on the paged allocation path\n\nIn __ip_append_data(), when the paged-allocation branch is taken,\nalloclen and pagedlen are computed as\n\n\talloclen = fragheaderlen + transhdrlen;\n\tpagedlen = datalen - transhdrlen;\n\ndatalen already includes fraggap, but the fraggap bytes carried over\nfrom the previous skb are copied into the new skb\u0027s linear area at\noffset transhdrlen by the subsequent skb_copy_and_csum_bits(). The\nlinear area is therefore undersized by fraggap bytes while pagedlen is\noverstated by the same amount.\n\nThe non-paged branch sets alloclen to fraglen, which already accounts\nfor fraggap because datalen does. Bring the paged branch in line by\nadding fraggap to alloclen and subtracting it from pagedlen.\n\nAfter this adjustment, copy no longer collapses to -fraggap on the\npaged path, so remove the stale comment describing that old arithmetic."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-16T05:13:40.893Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ce494707a9c07f27c219ca67f3e138061f53d9b3"
        },
        {
          "url": "https://git.kernel.org/stable/c/a9c24eda24bd15f432e37824e6fc440977cb241c"
        },
        {
          "url": "https://git.kernel.org/stable/c/77798d7be6ef71e72fb6fc8a2901bf74ebc9706f"
        },
        {
          "url": "https://git.kernel.org/stable/c/c04d9ece23deb9e26c19f9ca215e98b3295aa1bb"
        },
        {
          "url": "https://git.kernel.org/stable/c/eca856950f7cb1a221e02b99d758409f2c5cec42"
        }
      ],
      "title": "ipv4: account for fraggap on the paged allocation path",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-53366",
    "datePublished": "2026-07-16T05:13:40.893Z",
    "dateReserved": "2026-06-09T07:44:35.400Z",
    "dateUpdated": "2026-07-16T05:13:40.893Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-53366",
      "date": "2026-07-16",
      "epss": "0.00191",
      "percentile": "0.08967"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-53366\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-07-16T06:16:27.333\",\"lastModified\":\"2026-07-16T17:16:18.057\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nipv4: account for fraggap on the paged allocation path\\n\\nIn __ip_append_data(), when the paged-allocation branch is taken,\\nalloclen and pagedlen are computed as\\n\\n\\talloclen = fragheaderlen + transhdrlen;\\n\\tpagedlen = datalen - transhdrlen;\\n\\ndatalen already includes fraggap, but the fraggap bytes carried over\\nfrom the previous skb are copied into the new skb\u0027s linear area at\\noffset transhdrlen by the subsequent skb_copy_and_csum_bits(). The\\nlinear area is therefore undersized by fraggap bytes while pagedlen is\\noverstated by the same amount.\\n\\nThe non-paged branch sets alloclen to fraglen, which already accounts\\nfor fraggap because datalen does. Bring the paged branch in line by\\nadding fraggap to alloclen and subtracting it from pagedlen.\\n\\nAfter this adjustment, copy no longer collapses to -fraggap on the\\npaged path, so remove the stale comment describing that old arithmetic.\"}],\"affected\":[{\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"affectedData\":[{\"vendor\":\"Linux\",\"product\":\"Linux\",\"defaultStatus\":\"unaffected\",\"programFiles\":[\"net/ipv4/ip_output.c\"],\"repo\":\"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\",\"versions\":[{\"version\":\"8eb77cc73977d88787b37c92831b1c242e035396\",\"lessThan\":\"ce494707a9c07f27c219ca67f3e138061f53d9b3\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"8eb77cc73977d88787b37c92831b1c242e035396\",\"lessThan\":\"a9c24eda24bd15f432e37824e6fc440977cb241c\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"8eb77cc73977d88787b37c92831b1c242e035396\",\"lessThan\":\"77798d7be6ef71e72fb6fc8a2901bf74ebc9706f\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"8eb77cc73977d88787b37c92831b1c242e035396\",\"lessThan\":\"c04d9ece23deb9e26c19f9ca215e98b3295aa1bb\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"8eb77cc73977d88787b37c92831b1c242e035396\",\"lessThan\":\"eca856950f7cb1a221e02b99d758409f2c5cec42\",\"versionType\":\"git\",\"status\":\"affected\"}]},{\"vendor\":\"Linux\",\"product\":\"Linux\",\"defaultStatus\":\"affected\",\"programFiles\":[\"net/ipv4/ip_output.c\"],\"repo\":\"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\",\"versions\":[{\"version\":\"6.0\",\"status\":\"affected\"},{\"version\":\"0\",\"lessThan\":\"6.0\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.6.144\",\"lessThanOrEqual\":\"6.6.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.12.95\",\"lessThanOrEqual\":\"6.12.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.18.38\",\"lessThanOrEqual\":\"6.18.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"7.1.3\",\"lessThanOrEqual\":\"7.1.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"7.2-rc1\",\"lessThanOrEqual\":\"*\",\"versionType\":\"original_commit_for_fix\",\"status\":\"unaffected\"}]}]}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/77798d7be6ef71e72fb6fc8a2901bf74ebc9706f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a9c24eda24bd15f432e37824e6fc440977cb241c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c04d9ece23deb9e26c19f9ca215e98b3295aa1bb\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ce494707a9c07f27c219ca67f3e138061f53d9b3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/eca856950f7cb1a221e02b99d758409f2c5cec42\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…