CVE-2026-53184 (GCVE-0-2026-53184)

Vulnerability from cvelistv5 – Published: 2026-06-25 08:38 – Updated: 2026-06-28 06:39
VLAI
Title
udp: clear skb->dev before running a sockmap verdict
Summary
In the Linux kernel, the following vulnerability has been resolved: udp: clear skb->dev before running a sockmap verdict On the UDP receive path skb->dev is repurposed as dev_scratch (the truesize/state cache set by udp_set_dev_scratch()), through the union { struct net_device *dev; unsigned long dev_scratch; } in sk_buff. When a UDP socket is in a sockmap, sk_data_ready is sk_psock_verdict_data_ready(), which calls udp_read_skb() -> recv_actor() (sk_psock_verdict_recv) to run the attached SK_SKB verdict program in softirq. If that program calls a socket-lookup helper (bpf_sk_lookup_tcp/udp, bpf_skc_lookup_tcp), bpf_skc_lookup() does: if (skb->dev) caller_net = dev_net(skb->dev); skb->dev still holds the dev_scratch value (a non-NULL integer), so dev_net() dereferences it as a struct net_device * and the kernel takes a general protection fault on a non-canonical address in softirq: Oops: general protection fault, probably for non-canonical address 0x1010000800004a0 CPU: 1 UID: 0 PID: 1406 Comm: syz.2.19 Not tainted 7.1.0-rc6 #1 PREEMPT(full) RIP: 0010:bpf_skc_lookup net/core/filter.c:7033 [inline] RIP: 0010:bpf_sk_lookup+0x45/0x160 net/core/filter.c:7047 Call Trace: <IRQ> bpf_prog_4675cb904b7071f8+0x12e/0x14e bpf_prog_run_pin_on_cpu+0xc6/0x1f0 sk_psock_verdict_recv+0x1ba/0x350 udp_read_skb+0x31a/0x370 sk_psock_verdict_data_ready+0x2e3/0x600 __udp_enqueue_schedule_skb+0x4c8/0x650 udpv6_queue_rcv_one_skb+0x3ec/0x740 udp6_unicast_rcv_skb+0x11d/0x140 ip6_protocol_deliver_rcu+0x61e/0x950 ip6_input_finish+0xa9/0x150 NF_HOOK+0x286/0x2f0 ip6_input+0x117/0x220 NF_HOOK+0x286/0x2f0 __netif_receive_skb+0x85/0x200 process_backlog+0x374/0x9a0 __napi_poll+0x4f/0x1c0 net_rx_action+0x3b0/0x770 handle_softirqs+0x15a/0x460 do_softirq+0x57/0x80 </IRQ> The rmem charge that dev_scratch accounted for is released by skb_recv_udp() on dequeue, just above, so the scratch is dead by the time recv_actor() runs. Clear skb->dev so bpf_skc_lookup() falls back to sock_net(skb->sk), which skb_set_owner_sk_safe() set just above.
Assigner
Impacted products
Vendor Product Version
Linux Linux Affected: 965b57b469a589d64d81b1688b38dcb537011bb0 , < 263779a6beff03b8b06f6d25566cb0f45af361f2 (git)
Affected: 965b57b469a589d64d81b1688b38dcb537011bb0 , < 1b585673a2249f13678e7ac443ac683ba767e0b6 (git)
Affected: 965b57b469a589d64d81b1688b38dcb537011bb0 , < 90d35188aaa92b8f8b23f66335e0e91bf60103a3 (git)
Affected: 965b57b469a589d64d81b1688b38dcb537011bb0 , < 6822eed69572000a181fa4e31fceacc60918c471 (git)
Affected: 965b57b469a589d64d81b1688b38dcb537011bb0 , < 7d6d92d000ebe3a845a17c165c1d3a70c5d84fe1 (git)
Affected: 965b57b469a589d64d81b1688b38dcb537011bb0 , < 3c94f241f776562c489876ff506f366224565c21 (git)
Create a notification for this product.
Linux Linux Affected: 6.0
Unaffected: 0 , < 6.0 (semver)
Unaffected: 6.1.176 , ≤ 6.1.* (semver)
Unaffected: 6.6.143 , ≤ 6.6.* (semver)
Unaffected: 6.12.94 , ≤ 6.12.* (semver)
Unaffected: 6.18.36 , ≤ 6.18.* (semver)
Unaffected: 7.0.13 , ≤ 7.0.* (semver)
Unaffected: 7.1 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/udp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "263779a6beff03b8b06f6d25566cb0f45af361f2",
              "status": "affected",
              "version": "965b57b469a589d64d81b1688b38dcb537011bb0",
              "versionType": "git"
            },
            {
              "lessThan": "1b585673a2249f13678e7ac443ac683ba767e0b6",
              "status": "affected",
              "version": "965b57b469a589d64d81b1688b38dcb537011bb0",
              "versionType": "git"
            },
            {
              "lessThan": "90d35188aaa92b8f8b23f66335e0e91bf60103a3",
              "status": "affected",
              "version": "965b57b469a589d64d81b1688b38dcb537011bb0",
              "versionType": "git"
            },
            {
              "lessThan": "6822eed69572000a181fa4e31fceacc60918c471",
              "status": "affected",
              "version": "965b57b469a589d64d81b1688b38dcb537011bb0",
              "versionType": "git"
            },
            {
              "lessThan": "7d6d92d000ebe3a845a17c165c1d3a70c5d84fe1",
              "status": "affected",
              "version": "965b57b469a589d64d81b1688b38dcb537011bb0",
              "versionType": "git"
            },
            {
              "lessThan": "3c94f241f776562c489876ff506f366224565c21",
              "status": "affected",
              "version": "965b57b469a589d64d81b1688b38dcb537011bb0",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/udp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.0"
            },
            {
              "lessThan": "6.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.176",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.143",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.36",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.176",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.143",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.94",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.36",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.13",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp: clear skb-\u003edev before running a sockmap verdict\n\nOn the UDP receive path skb-\u003edev is repurposed as dev_scratch (the\ntruesize/state cache set by udp_set_dev_scratch()), through the\nunion { struct net_device *dev; unsigned long dev_scratch; } in sk_buff.\n\nWhen a UDP socket is in a sockmap, sk_data_ready is\nsk_psock_verdict_data_ready(), which calls udp_read_skb() -\u003e recv_actor()\n(sk_psock_verdict_recv) to run the attached SK_SKB verdict program in softirq.\nIf that program calls a socket-lookup helper (bpf_sk_lookup_tcp/udp,\nbpf_skc_lookup_tcp), bpf_skc_lookup() does:\n\n\tif (skb-\u003edev)\n\t\tcaller_net = dev_net(skb-\u003edev);\n\nskb-\u003edev still holds the dev_scratch value (a non-NULL integer), so dev_net()\ndereferences it as a struct net_device * and the kernel takes a general\nprotection fault on a non-canonical address in softirq:\n\n  Oops: general protection fault, probably for non-canonical address 0x1010000800004a0\n  CPU: 1 UID: 0 PID: 1406 Comm: syz.2.19 Not tainted 7.1.0-rc6 #1 PREEMPT(full)\n  RIP: 0010:bpf_skc_lookup net/core/filter.c:7033 [inline]\n  RIP: 0010:bpf_sk_lookup+0x45/0x160 net/core/filter.c:7047\n  Call Trace:\n   \u003cIRQ\u003e\n   bpf_prog_4675cb904b7071f8+0x12e/0x14e\n   bpf_prog_run_pin_on_cpu+0xc6/0x1f0\n   sk_psock_verdict_recv+0x1ba/0x350\n   udp_read_skb+0x31a/0x370\n   sk_psock_verdict_data_ready+0x2e3/0x600\n   __udp_enqueue_schedule_skb+0x4c8/0x650\n   udpv6_queue_rcv_one_skb+0x3ec/0x740\n   udp6_unicast_rcv_skb+0x11d/0x140\n   ip6_protocol_deliver_rcu+0x61e/0x950\n   ip6_input_finish+0xa9/0x150\n   NF_HOOK+0x286/0x2f0\n   ip6_input+0x117/0x220\n   NF_HOOK+0x286/0x2f0\n   __netif_receive_skb+0x85/0x200\n   process_backlog+0x374/0x9a0\n   __napi_poll+0x4f/0x1c0\n   net_rx_action+0x3b0/0x770\n   handle_softirqs+0x15a/0x460\n   do_softirq+0x57/0x80\n   \u003c/IRQ\u003e\n\nThe rmem charge that dev_scratch accounted for is released by skb_recv_udp() on\ndequeue, just above, so the scratch is dead by the time recv_actor() runs. Clear\nskb-\u003edev so bpf_skc_lookup() falls back to sock_net(skb-\u003esk), which\nskb_set_owner_sk_safe() set just above."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-28T06:39:58.363Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/263779a6beff03b8b06f6d25566cb0f45af361f2"
        },
        {
          "url": "https://git.kernel.org/stable/c/1b585673a2249f13678e7ac443ac683ba767e0b6"
        },
        {
          "url": "https://git.kernel.org/stable/c/90d35188aaa92b8f8b23f66335e0e91bf60103a3"
        },
        {
          "url": "https://git.kernel.org/stable/c/6822eed69572000a181fa4e31fceacc60918c471"
        },
        {
          "url": "https://git.kernel.org/stable/c/7d6d92d000ebe3a845a17c165c1d3a70c5d84fe1"
        },
        {
          "url": "https://git.kernel.org/stable/c/3c94f241f776562c489876ff506f366224565c21"
        }
      ],
      "title": "udp: clear skb-\u003edev before running a sockmap verdict",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-53184",
    "datePublished": "2026-06-25T08:38:58.189Z",
    "dateReserved": "2026-06-09T07:44:35.390Z",
    "dateUpdated": "2026-06-28T06:39:58.363Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-53184",
      "date": "2026-06-30",
      "epss": "0.00506",
      "percentile": "0.39373"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-53184\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-06-25T09:16:35.800\",\"lastModified\":\"2026-06-30T14:44:27.313\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nudp: clear skb-\u003edev before running a sockmap verdict\\n\\nOn the UDP receive path skb-\u003edev is repurposed as dev_scratch (the\\ntruesize/state cache set by udp_set_dev_scratch()), through the\\nunion { struct net_device *dev; unsigned long dev_scratch; } in sk_buff.\\n\\nWhen a UDP socket is in a sockmap, sk_data_ready is\\nsk_psock_verdict_data_ready(), which calls udp_read_skb() -\u003e recv_actor()\\n(sk_psock_verdict_recv) to run the attached SK_SKB verdict program in softirq.\\nIf that program calls a socket-lookup helper (bpf_sk_lookup_tcp/udp,\\nbpf_skc_lookup_tcp), bpf_skc_lookup() does:\\n\\n\\tif (skb-\u003edev)\\n\\t\\tcaller_net = dev_net(skb-\u003edev);\\n\\nskb-\u003edev still holds the dev_scratch value (a non-NULL integer), so dev_net()\\ndereferences it as a struct net_device * and the kernel takes a general\\nprotection fault on a non-canonical address in softirq:\\n\\n  Oops: general protection fault, probably for non-canonical address 0x1010000800004a0\\n  CPU: 1 UID: 0 PID: 1406 Comm: syz.2.19 Not tainted 7.1.0-rc6 #1 PREEMPT(full)\\n  RIP: 0010:bpf_skc_lookup net/core/filter.c:7033 [inline]\\n  RIP: 0010:bpf_sk_lookup+0x45/0x160 net/core/filter.c:7047\\n  Call Trace:\\n   \u003cIRQ\u003e\\n   bpf_prog_4675cb904b7071f8+0x12e/0x14e\\n   bpf_prog_run_pin_on_cpu+0xc6/0x1f0\\n   sk_psock_verdict_recv+0x1ba/0x350\\n   udp_read_skb+0x31a/0x370\\n   sk_psock_verdict_data_ready+0x2e3/0x600\\n   __udp_enqueue_schedule_skb+0x4c8/0x650\\n   udpv6_queue_rcv_one_skb+0x3ec/0x740\\n   udp6_unicast_rcv_skb+0x11d/0x140\\n   ip6_protocol_deliver_rcu+0x61e/0x950\\n   ip6_input_finish+0xa9/0x150\\n   NF_HOOK+0x286/0x2f0\\n   ip6_input+0x117/0x220\\n   NF_HOOK+0x286/0x2f0\\n   __netif_receive_skb+0x85/0x200\\n   process_backlog+0x374/0x9a0\\n   __napi_poll+0x4f/0x1c0\\n   net_rx_action+0x3b0/0x770\\n   handle_softirqs+0x15a/0x460\\n   do_softirq+0x57/0x80\\n   \u003c/IRQ\u003e\\n\\nThe rmem charge that dev_scratch accounted for is released by skb_recv_udp() on\\ndequeue, just above, so the scratch is dead by the time recv_actor() runs. Clear\\nskb-\u003edev so bpf_skc_lookup() falls back to sock_net(skb-\u003esk), which\\nskb_set_owner_sk_safe() set just above.\"}],\"affected\":[{\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"affectedData\":[{\"vendor\":\"Linux\",\"product\":\"Linux\",\"defaultStatus\":\"unaffected\",\"programFiles\":[\"net/ipv4/udp.c\"],\"repo\":\"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\",\"versions\":[{\"version\":\"965b57b469a589d64d81b1688b38dcb537011bb0\",\"lessThan\":\"263779a6beff03b8b06f6d25566cb0f45af361f2\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"965b57b469a589d64d81b1688b38dcb537011bb0\",\"lessThan\":\"1b585673a2249f13678e7ac443ac683ba767e0b6\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"965b57b469a589d64d81b1688b38dcb537011bb0\",\"lessThan\":\"90d35188aaa92b8f8b23f66335e0e91bf60103a3\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"965b57b469a589d64d81b1688b38dcb537011bb0\",\"lessThan\":\"6822eed69572000a181fa4e31fceacc60918c471\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"965b57b469a589d64d81b1688b38dcb537011bb0\",\"lessThan\":\"7d6d92d000ebe3a845a17c165c1d3a70c5d84fe1\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"965b57b469a589d64d81b1688b38dcb537011bb0\",\"lessThan\":\"3c94f241f776562c489876ff506f366224565c21\",\"versionType\":\"git\",\"status\":\"affected\"}]},{\"vendor\":\"Linux\",\"product\":\"Linux\",\"defaultStatus\":\"affected\",\"programFiles\":[\"net/ipv4/udp.c\"],\"repo\":\"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\",\"versions\":[{\"version\":\"6.0\",\"status\":\"affected\"},{\"version\":\"0\",\"lessThan\":\"6.0\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.1.176\",\"lessThanOrEqual\":\"6.1.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.6.143\",\"lessThanOrEqual\":\"6.6.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.12.94\",\"lessThanOrEqual\":\"6.12.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.18.36\",\"lessThanOrEqual\":\"6.18.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"7.0.13\",\"lessThanOrEqual\":\"7.0.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"7.1\",\"lessThanOrEqual\":\"*\",\"versionType\":\"original_commit_for_fix\",\"status\":\"unaffected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1b585673a2249f13678e7ac443ac683ba767e0b6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/263779a6beff03b8b06f6d25566cb0f45af361f2\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/3c94f241f776562c489876ff506f366224565c21\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6822eed69572000a181fa4e31fceacc60918c471\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/7d6d92d000ebe3a845a17c165c1d3a70c5d84fe1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/90d35188aaa92b8f8b23f66335e0e91bf60103a3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…