CVE-2026-53362

Source
https://cve.org/CVERecord?id=CVE-2026-53362
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53362.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53362
Downstream
Published
2026-07-04T11:56:35.864Z
Modified
2026-07-08T08:13:46.753886515Z
Summary
ipv6: account for fraggap on the paged allocation path
Details

In the Linux kernel, the following vulnerability has been resolved:

ipv6: account for fraggap on the paged allocation path

In _ip6appenddata(), when the paged-allocation branch is taken (MSGMORE / NETIFFSG / large fraglen), alloclen and pagedlen are computed as

alloclen = fragheaderlen + transhdrlen;
pagedlen = datalen - transhdrlen;

datalen already includes fraggap (datalen = length + fraggap). When fraggap is non-zero, this is not the first skb and transhdrlen is zero. The fraggap bytes carried over from the previous skb are copied just past the fragment headers in the new skb's linear area. The linear area is therefore undersized by fraggap bytes while pagedlen is overstated by the same amount, and the copy writes past skb->end into the trailing skbsharedinfo.

An unprivileged user can trigger this via a UDPv6 socket using MSGMORE together with MSGSPLICE_PAGES.

The bad accounting was introduced by commit 773ba4fe9104 ("ipv6: avoid partial copy for zc"). Before commit ce650a166335 ("udp6: Fix __ip6appenddata()'s handling of MSGSPLICEPAGES"), the negative copy value caused -EINVAL to be returned. That later commit allowed MSGSPLICEPAGES to proceed in this case, making the corruption triggerable.

The non-paged branch sets alloclen to fraglen, which already accounts for fraggap because datalen does. Bring the paged branch in line by adding fraggap to alloclen and subtracting it from pagedlen.

After this adjustment, copy no longer collapses to -fraggap on the paged path, so remove the stale comment describing that old arithmetic. Since a negative copy is no longer expected for a valid MSGSPLICEPAGES case, remove the MSGSPLICEPAGES exception from the negative copy check.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53362.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
773ba4fe9104a64a54d1c00f0fb6ffb95def2b03
Fixed
14200d435af9a9eeb444f529fc2f689a236b7962
Fixed
65fb14cbebb0cd0eff903a22d33537ddc8b95769
Fixed
46f201f8b4c39633a1fa3dc12459f506d470993d
Fixed
6374fb9edf72c67a118a2c214a0dddd04c921e0a
Fixed
e9eacf19281ea2498b36291b56c9606118c2d74e
Fixed
736b380e28d0480c7bc3e022f1950f31fe53a7c5

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53362.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.1.177
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.144
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.95
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.38
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.1.3

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53362.json"