CVE-2026-53250

Source
https://cve.org/CVERecord?id=CVE-2026-53250
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53250.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53250
Downstream
Published
2026-06-25T08:39:42.630Z
Modified
2026-07-08T08:09:46.437964623Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
xsk: cache csum_start/csum_offset to fix TOCTOU in xsk_skb_metadata()
Details

In the Linux kernel, the following vulnerability has been resolved:

xsk: cache csumstart/csumoffset to fix TOCTOU in xskskbmetadata()

The TX metadata area resides in the UMEM buffer which is memory-mapped and concurrently writable by userspace. In xskskbmetadata(), csumstart and csumoffset are read from shared memory for bounds validation, then read again for skb assignment. A malicious userspace application can race to overwrite these values between the two reads, bypassing the bounds check and causing out-of-bounds memory access during checksum computation in the transmit path.

Fix this by reading csumstart and csumoffset into local variables once, then using the local copies for both validation and assignment.

Note that other metadata fields (flags, launch_time) and the cached csum fields may be mutually inconsistent due to concurrent userspace writes, but this is benign: the only security-critical invariant is that each field's validated value is the same one used, which local caching guarantees.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53250.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
48eb03dd26304c24f03bdbb9382e89c8564e71df
Fixed
0dfe05b938435892875e07771170051346412df9
Fixed
bfdfd2706d5fb2cd496a1506e680daf979309c8b
Fixed
22ba97ea9cc1f63a0d0244fae38057ed452b6ac7

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53250.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.8.0
Fixed
6.18.36
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.13

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53250.json"