In the Linux kernel, the following vulnerability has been resolved:
xfrm: espintcp: do not reuse an in-progress partial send
espintcp keeps a single in-flight transmit in ctx->partial. Before building a new skmsg, espintcpsendmsg() first tries to flush that state through espintcppushmsgs().
For blocking callers, espintcppushmsgs() may return success even when the previous partial send is still pending. espintcp_sendmsg() would then reinitialize emsg->skmsg and reuse ctx->partial while the old transfer still owns that state.
Do not rebuild the send message when ctx->partial is still in progress. If espintcppushmsgs() returns with emsg->len still set, fail the new send instead of overwriting the live partial state.
This is a memory-safety fix: reusing the live partial-send state can leave a stale offset attached to a new sk_msg and lead to an out-of- bounds read in the send path.
tcpsendmsglocked() already handles waiting for send buffer memory, so the fix here is just to preserve espintcp's one-message-at-a-time transmit state.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52935.json",
"cna_assigner": "Linux"
}