In the Linux kernel, the following vulnerability has been resolved:
rxrpc: Fix the ACK parser to extract the SACK table for parsing
Fix modification of the received skbuff in rxrpcinputsoftacks() and a potential incorrect access of the buffer in a fragmented UDP packet (the packet would probably have to be deliberately pre-generated as fragmented) when AFRXRPC tries to extract the contents of the SACK table by copying out the contents of the SACK table into a buffer before attempting to parse
AFRXRPC assumes that it can just call skbcondense() and then validly access the SACK table from skb->data and that it will be a flat buffer - but skb_condense() can silently fail to do anything under some circumstances.
Note that whilst rxrpcinputsoftacks() should be able to parse extended ACKs, the rest of AFRXRPC doesn't currently support that.
Further, there's then no need to call skbcondense() in rxrpcinput_ack(), so don't.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53151.json",
"cna_assigner": "Linux"
}