CRITICAL Published 2026-06-25

rxrpc SACK Table OOB

CVE-2026-53151

CVSS 9.8 / 10.0 NVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

KernelScan AI6.3MEDIUM

01Description

In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix the ACK parser to extract the SACK table for parsing Fix modification of the received skbuff in rxrpc_input_soft_acks() and a potential incorrect access of the buffer in a fragmented UDP packet (the packet would probably have to be deliberately pre-generated as fragmented) when AF_RXRPC tries to extract the contents of the SACK table by copying out the contents of the SACK table into a buffer before attempting to parse AF_RXRPC assumes that it can just call skb_condense() and then validly access the SACK table from skb->data and that it will be a flat buffer - but skb_condense() can silently fail to do anything under some circumstances. Note that whilst rxrpc_input_soft_acks() should be able to parse extended ACKs, the rest of AF_RXRPC doesn't currently support that. Further, there's then no need to call skb_condense() in rxrpc_input_ack(), so don't.

02KernelScan AI Analysis

Engine v0.3.0

Risk summary

A remote attacker can send a specially crafted fragmented UDP packet carrying an RxRPC ACK to trigger an out-of-bounds read in the kernel's rxrpc ACK parser. This can lead to information disclosure (slab memory leak) and denial of service (kernel panic/oops). The attack requires no authentication and is reachable over the network from any peer that can send RxRPC traffic.

Affectednet/rxrpc/input.c (AF_RXRPC ACK parser)

Vulnerability analysis

The root cause is that rxrpc_input_soft_acks() assumed skb_condense() would always flatten a fragmented skb into a contiguous linear buffer, after which it directly accessed skb->data plus a fixed offset to read the SACK table. However, skb_condense() can silently fail, leaving the packet fragmented. In that case, the pointer arithmetic into skb->data yields an out-of-bounds read into adjacent kernel memory (potentially leaking slab data) and can eventually hit unmapped pages, causing a kernel panic. The fix replaces the direct skb->data pointer access with skb_copy_bits() to safely extract up to 256 bytes of the SACK table into a local stack buffer before parsing, and removes the skb_condense() call entirely. The attack surface is network-reachable: a remote peer sending a deliberately fragmented UDP/RxRPC ACK packet can trigger this path without any authentication.

03Fix Versions

Branch	Fixed in	Patch commit
6.18	6.18.36	`566c4c1244de`
7.0	7.0.13	`224298450be5`
mainline	7.1	`333b6d5bb9f8`