Bug 2492837 (CVE-2026-53151) - CVE-2026-53151 kernel: rxrpc: Fix the ACK parser to extract the SACK table for parsing
Summary: CVE-2026-53151 kernel: rxrpc: Fix the ACK parser to extract the SACK table fo...
Keywords:
Status: NEW
Alias: CVE-2026-53151
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-25 10:08 UTC by OSIDB Bzimport
Modified: 2026-06-26 06:52 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-25 10:08:20 UTC 
In the Linux kernel, the following vulnerability has been resolved:

rxrpc: Fix the ACK parser to extract the SACK table for parsing

Fix modification of the received skbuff in rxrpc_input_soft_acks() and a
potential incorrect access of the buffer in a fragmented UDP packet (the
packet would probably have to be deliberately pre-generated as fragmented)
when AF_RXRPC tries to extract the contents of the SACK table by copying
out the contents of the SACK table into a buffer before attempting to parse

AF_RXRPC assumes that it can just call skb_condense() and then validly
access the SACK table from skb->data and that it will be a flat buffer -
but skb_condense() can silently fail to do anything under some
circumstances.

Note that whilst rxrpc_input_soft_acks() should be able to parse extended
ACKs, the rest of AF_RXRPC doesn't currently support that.

Further, there's then no need to call skb_condense() in rxrpc_input_ack(),
so don't.
Comment 1 TEJ RATHI 2026-06-26 06:47:54 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026062547-CVE-2026-53151-4924@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.