FKIE_CVE-2026-52993

Vulnerability from fkie_nvd - Published: 2026-06-24 17:17 - Updated: 2026-06-30 03:20
Summary
In the Linux kernel, the following vulnerability has been resolved: tipc: fix double-free in tipc_buf_append() tipc_msg_validate() can potentially reallocate the skb it is validating, freeing the old one. In tipc_buf_append(), it was being called with a pointer to a local variable which was a copy of the caller's skb pointer. If the skb was reallocated and validation subsequently failed, the error handling path would free the original skb pointer, which had already been freed, leading to double-free. Fix this by checking if head now points to a newly allocated reassembled skb. If it does, reassign *headbuf for later freeing operations.
Impacted products
Vendor Product Version

{
  "affected": [
    {
      "affectedData": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/tipc/msg.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a438975a6dcdbd70865978c021650d1485586f0b",
              "status": "affected",
              "version": "d618d09a68e4eed7a435beb2e355250f6f40664a",
              "versionType": "git"
            },
            {
              "lessThan": "4ee4deadaae7cb2e3d53af0fc889cf92a73413c0",
              "status": "affected",
              "version": "d618d09a68e4eed7a435beb2e355250f6f40664a",
              "versionType": "git"
            },
            {
              "lessThan": "d3556656c6daebf8def751c7e71d11dd0a180d24",
              "status": "affected",
              "version": "d618d09a68e4eed7a435beb2e355250f6f40664a",
              "versionType": "git"
            },
            {
              "lessThan": "0274f24485fc38032d4093e463dc3ff5c7a667c9",
              "status": "affected",
              "version": "d618d09a68e4eed7a435beb2e355250f6f40664a",
              "versionType": "git"
            },
            {
              "lessThan": "4d104882bc815d4ec666ace9155f5f52715879a6",
              "status": "affected",
              "version": "d618d09a68e4eed7a435beb2e355250f6f40664a",
              "versionType": "git"
            },
            {
              "lessThan": "1d5e589055880fae229e229e1929e087dbe08cf3",
              "status": "affected",
              "version": "d618d09a68e4eed7a435beb2e355250f6f40664a",
              "versionType": "git"
            },
            {
              "lessThan": "29940fff14110ca48c5ccc168d121665b51bb778",
              "status": "affected",
              "version": "d618d09a68e4eed7a435beb2e355250f6f40664a",
              "versionType": "git"
            },
            {
              "lessThan": "d293ca716e7d5dffdaecaf6b9b2f857a33dc3d3a",
              "status": "affected",
              "version": "d618d09a68e4eed7a435beb2e355250f6f40664a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/tipc/msg.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.15"
            },
            {
              "lessThan": "4.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.91",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.33",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    },
    {
      "affectedData": [
        {
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:10"
          ],
          "defaultStatus": "affected",
          "product": "Red Hat Enterprise Linux 10",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8"
          ],
          "defaultStatus": "affected",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:9"
          ],
          "defaultStatus": "affected",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:6"
          ],
          "defaultStatus": "unaffected",
          "product": "Red Hat Enterprise Linux 6",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:7"
          ],
          "defaultStatus": "unaffected",
          "product": "Red Hat Enterprise Linux 7",
          "vendor": "Red Hat"
        }
      ],
      "source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix double-free in tipc_buf_append()\n\ntipc_msg_validate() can potentially reallocate the skb it is validating,\nfreeing the old one.  In tipc_buf_append(), it was being called with a\npointer to a local variable which was a copy of the caller\u0027s skb\npointer.\n\nIf the skb was reallocated and validation subsequently failed, the error\nhandling path would free the original skb pointer, which had already\nbeen freed, leading to double-free.\n\nFix this by checking if head now points to a newly allocated reassembled\nskb.  If it does, reassign *headbuf for later freeing operations."
    }
  ],
  "id": "CVE-2026-52993",
  "lastModified": "2026-06-30T03:20:52.980",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.0,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.0,
        "impactScore": 5.9,
        "source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-06-24T17:17:10.203",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/0274f24485fc38032d4093e463dc3ff5c7a667c9"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/1d5e589055880fae229e229e1929e087dbe08cf3"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/29940fff14110ca48c5ccc168d121665b51bb778"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/4d104882bc815d4ec666ace9155f5f52715879a6"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/4ee4deadaae7cb2e3d53af0fc889cf92a73413c0"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/a438975a6dcdbd70865978c021650d1485586f0b"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/d293ca716e7d5dffdaecaf6b9b2f857a33dc3d3a"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/d3556656c6daebf8def751c7e71d11dd0a180d24"
    },
    {
      "source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
      "url": "https://access.redhat.com/security/cve/CVE-2026-52993"
    },
    {
      "source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492437"
    },
    {
      "source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-52993.json"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Received",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-763"
        }
      ],
      "source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…