CVE-2026-53184

Source
https://cve.org/CVERecord?id=CVE-2026-53184
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53184.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53184
Downstream
Related
Published
2026-06-25T08:38:58.189Z
Modified
2026-07-08T08:07:23.581315678Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
udp: clear skb->dev before running a sockmap verdict
Details

In the Linux kernel, the following vulnerability has been resolved:

udp: clear skb->dev before running a sockmap verdict

On the UDP receive path skb->dev is repurposed as devscratch (the truesize/state cache set by udpsetdevscratch()), through the union { struct netdevice *dev; unsigned long devscratch; } in sk_buff.

When a UDP socket is in a sockmap, skdataready is skpsockverdictdataready(), which calls udpreadskb() -> recvactor() (skpsockverdictrecv) to run the attached SKSKB verdict program in softirq. If that program calls a socket-lookup helper (bpfsklookuptcp/udp, bpfskclookuptcp), bpfskc_lookup() does:

if (skb->dev)
    caller_net = dev_net(skb->dev);

skb->dev still holds the devscratch value (a non-NULL integer), so devnet() dereferences it as a struct net_device * and the kernel takes a general protection fault on a non-canonical address in softirq:

Oops: general protection fault, probably for non-canonical address 0x1010000800004a0 CPU: 1 UID: 0 PID: 1406 Comm: syz.2.19 Not tainted 7.1.0-rc6 #1 PREEMPT(full) RIP: 0010:bpfskclookup net/core/filter.c:7033 [inline] RIP: 0010:bpfsklookup+0x45/0x160 net/core/filter.c:7047 Call Trace: <IRQ> bpfprog4675cb904b7071f8+0x12e/0x14e bpfprogrunpinoncpu+0xc6/0x1f0 skpsockverdictrecv+0x1ba/0x350 udpreadskb+0x31a/0x370 skpsockverdictdataready+0x2e3/0x600 __udpenqueuescheduleskb+0x4c8/0x650 udpv6queuercvoneskb+0x3ec/0x740 udp6unicastrcvskb+0x11d/0x140 ip6protocoldeliverrcu+0x61e/0x950 ip6inputfinish+0xa9/0x150 NFHOOK+0x286/0x2f0 ip6input+0x117/0x220 NFHOOK+0x286/0x2f0 __netifreceiveskb+0x85/0x200 process_backlog+0x374/0x9a0 _napipoll+0x4f/0x1c0 netrxaction+0x3b0/0x770 handlesoftirqs+0x15a/0x460 dosoftirq+0x57/0x80 </IRQ>

The rmem charge that devscratch accounted for is released by skbrecvudp() on dequeue, just above, so the scratch is dead by the time recvactor() runs. Clear skb->dev so bpfskclookup() falls back to socknet(skb->sk), which skbsetownersk_safe() set just above.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53184.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
965b57b469a589d64d81b1688b38dcb537011bb0
Fixed
263779a6beff03b8b06f6d25566cb0f45af361f2
Fixed
1b585673a2249f13678e7ac443ac683ba767e0b6
Fixed
90d35188aaa92b8f8b23f66335e0e91bf60103a3
Fixed
6822eed69572000a181fa4e31fceacc60918c471
Fixed
7d6d92d000ebe3a845a17c165c1d3a70c5d84fe1
Fixed
3c94f241f776562c489876ff506f366224565c21

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53184.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.1.176
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.143
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.94
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.36
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.13

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53184.json"