HIGH
net/ipv4 ARP UAF
CVE-2026-22988
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI9.8CRITICAL
01Description
In the Linux kernel, the following vulnerability has been resolved: arp: do not assume dev_hard_header() does not change skb->head arp_create() is the only dev_hard_header() caller making assumption about skb->head being unchanged. A recent commit broke this assumption. Initialize @arp pointer after dev_hard_header() call.
02KernelScan AI Analysis
Risk summary
A use-after-free vulnerability in ARP packet creation allows remote attackers to corrupt kernel memory. The bug occurs when dev_hard_header() reallocates the socket buffer head, invalidating a previously stored ARP header pointer. This can lead to kernel crashes or potential code execution.
Vulnerability analysis
The root cause is in arp_create() storing an ARP header pointer before calling dev_hard_header(), which can reallocate skb->head and invalidate the pointer. The fix moves the pointer initialization to after dev_hard_header() to ensure validity. This is network-reachable as ARP operations are triggered by normal network traffic, requiring no special privileges.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.1 | 6.1.161 | e432dbff342b |
| 6.12 | 6.12.66 | 70bddc16491e |
| 6.18 | 6.18.6 | 029935507d0a |
| 6.6 | 6.6.121 | 393525dee5c3 |