Bug 2495904 (CVE-2026-53362) - CVE-2026-53362 kernel: kernel: ipv6 frag escape
Summary: CVE-2026-53362 kernel: kernel: ipv6 frag escape
Keywords:
Status: NEW
Alias: CVE-2026-53362
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-07-01 12:22 UTC by OSIDB Bzimport
Modified: 2026-07-06 12:59 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2026:34911 0 None None None 2026-07-02 13:42:42 UTC
Red Hat Product Errata RHSA-2026:34927 0 None None None 2026-07-02 13:18:35 UTC
Red Hat Product Errata RHSA-2026:35840 0 None None None 2026-07-06 04:27:51 UTC

Description OSIDB Bzimport 2026-07-01 12:22:40 UTC
In __ip6_append_data(), when the paged-allocation branch is taken
(MSG_MORE / NETIF_F_SG / large fraglen), alloclen and pagedlen are
computed as

	alloclen = fragheaderlen + transhdrlen;
	pagedlen = datalen - transhdrlen;

datalen already includes fraggap (datalen = length + fraggap). When
fraggap is non-zero, this is not the first skb and transhdrlen is zero.
The fraggap bytes carried over from the previous skb are copied just past
the fragment headers in the new skb's linear area. The linear area is
therefore undersized by fraggap bytes while pagedlen is overstated by the
same amount, and the copy writes past skb->end into the trailing
skb_shared_info.

An unprivileged user can trigger this via a UDPv6 socket using
MSG_MORE together with MSG_SPLICE_PAGES.

The bad accounting was introduced by commit 773ba4fe9104 ("ipv6:
avoid partial copy for zc"). Before commit ce650a166335 ("udp6: Fix
__ip6_append_data()'s handling of MSG_SPLICE_PAGES"), the negative
copy value caused -EINVAL to be returned. That later commit allowed
MSG_SPLICE_PAGES to proceed in this case, making the corruption
triggerable.

The non-paged branch sets alloclen to fraglen, which already accounts
for fraggap because datalen does. Bring the paged branch in line by
adding fraggap to alloclen and subtracting it from pagedlen.

After this adjustment, copy no longer collapses to -fraggap on the
paged path, so remove the stale comment describing that old arithmetic.
Since a negative copy is no longer expected for a valid MSG_SPLICE_PAGES
case, remove the MSG_SPLICE_PAGES exception from the negative copy check.

Comment 4 errata-xmlrpc 2026-07-02 13:18:34 UTC
This issue has been addressed in the following products:

  NVIDIA for RHEL 10

Via RHSA-2026:34927 https://access.redhat.com/errata/RHSA-2026:34927

Comment 5 errata-xmlrpc 2026-07-02 13:42:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:34911 https://access.redhat.com/errata/RHSA-2026:34911

Comment 6 errata-xmlrpc 2026-07-06 04:27:50 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:35840 https://access.redhat.com/errata/RHSA-2026:35840


Note You need to log in before you can comment on or make changes to this bug.