{"cve":{"cve_id":"CVE-2026-52943","is_kev":false,"kev_date_added":null,"kev_vendor_project":null,"kev_product":null,"kev_vulnerability_name":null,"kev_short_description":null,"kev_required_action":null,"kev_due_date":null,"kev_known_ransomware":null,"kev_notes":null,"kev_cwes":null,"epss_score":null,"epss_percentile":null,"epss_as_of":null,"description":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: skbuff: fix missing zerocopy reference in pskb_carve helpers\n\npskb_carve_inside_header() and pskb_carve_inside_nonlinear() both copy\nthe old skb_shared_info header into a new buffer via memcpy(), which\nincludes the destructor_arg pointer (uarg) for MSG_ZEROCOPY skbs.\nNeither function calls net_zcopy_get() for the new shinfo, creating an\nunaccounted holder: every skb_shared_info with destructor_arg set will\ncall skb_zcopy_clear() once when freed, but the corresponding\nnet_zcopy_get() was never called for the new copy. Repeated calls\ndrive uarg->refcnt to zero prematurely, freeing ubuf_info_msgzc while\nTX skbs still hold live destructor_arg pointers.\n\nKASAN reports use-after-free on a freed ubuf_info_msgzc:\n\n  BUG: KASAN: slab-use-after-free in skb_release_data+0x77b/0x810\n  Read of size 8 at addr ffff88801574d3e8 by task poc/220\n\n  Call Trace:\n   skb_release_data+0x77b/0x810\n   kfree_skb_list_reason+0x13e/0x610\n   skb_release_data+0x4cd/0x810\n   sk_skb_reason_drop+0xf3/0x340\n   skb_queue_purge_reason+0x282/0x440\n   rds_tcp_inc_free+0x1e/0x30\n   rds_recvmsg+0x354/0x1780\n   __sys_recvmsg+0xdf/0x180\n\n  Allocated by task 219:\n   msg_zerocopy_realloc+0x157/0x7b0\n   tcp_sendmsg_locked+0x2892/0x3ba0\n\n  Freed by task 219:\n   ip_recv_error+0x74a/0xb10\n   tcp_recvmsg+0x475/0x530\n\nThe skb consuming the late access still referenced the same uarg via\nshinfo->destructor_arg copied by pskb_carve_inside_nonlinear() without\na refcount bump. This has been verified to be reliably exploitable: a\nworking proof-of-concept achieves full root privilege escalation from\nan unprivileged local user on a default kernel configuration.\n\nThe fix follows the pattern of pskb_expand_head() which has the same\nmemcpy/cloned structure. For pskb_carve_inside_header(), net_zcopy_get()\nis placed after skb_orphan_frags() succeeds, so the orphan error path\nneeds no cleanup. For pskb_carve_inside_nonlinear(), net_zcopy_get() is\nplaced after all failure points and just before skb_release_data(), so\nno error path needs cleanup at all -- matching pskb_expand_head() more\nclosely and avoiding the need for a balancing net_zcopy_put().","published_at":"2026-06-24T09:00:12.292000Z","last_modified_at":null,"cvss_v3_score":7.8,"cvss_v3_vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","cvss_v3_severity":"HIGH","cvss_v4_score":null,"cvss_v4_vector":null,"cvss_v4_severity":null,"ssvc_decision":null,"ssvc_exploitation":null,"ssvc_automatable":null,"ssvc_technical_impact":null,"cwes":null,"nvd_references":["https://git.kernel.org/stable/c/8dbed691e43a50903658130bde0fcb5abc425b37","https://git.kernel.org/stable/c/9b40bdc2a3298225dffab8158208a0d8c6300578","https://git.kernel.org/stable/c/fd470f0a97b8e9a125f520265d2f3b088ffb5b8a","https://git.kernel.org/stable/c/ceafb893b12f23331dcc5ff9587e643c3a40ee9f","https://git.kernel.org/stable/c/2e0e74c59b2761a414d9f48d7bee1e45220b2427","https://git.kernel.org/stable/c/96a4713ae041cc85e712bac682cd2e644004d6c6","https://git.kernel.org/stable/c/474d6c771d798bca84f0a140b611e36743511e18","https://git.kernel.org/stable/c/98d0912e9f841e5529a5b89a972805f34cb1c69d"],"vuln_status":null,"trending_score":null,"is_trending":false,"has_trended":false,"trended_number_one":false,"trending_peak_score":null,"trending_peak_rank":null,"started_trending_at":null,"trended_number_one_at":null,"summary_generated":null,"summary_generated_at":null,"summary_model":null,"created_at":"2026-06-28T17:55:22.518073Z","updated_at":"2026-06-28T23:30:49.890169Z"},"effective_severity":"HIGH","badges":[],"impact_analysis":[],"cvss_v3_decoded":{"version":"3.1","metrics":[{"metric":"AV","name":"Attack Vector","value":"L","value_label":"Local"},{"metric":"AC","name":"Attack Complexity","value":"L","value_label":"Low"},{"metric":"PR","name":"Privileges Required","value":"L","value_label":"Low"},{"metric":"UI","name":"User Interaction","value":"N","value_label":"None"},{"metric":"S","name":"Scope","value":"U","value_label":"Unchanged"},{"metric":"C","name":"Confidentiality","value":"H","value_label":"High"},{"metric":"I","name":"Integrity","value":"H","value_label":"High"},{"metric":"A","name":"Availability","value":"H","value_label":"High"}]},"cvss_v4_decoded":{"version":null,"metrics":[]},"affected":[{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"6fa01ccd883021105e9f8af7d04b9f156fa3494a","version_start_inclusive":true,"version_end":"8dbed691e43a50903658130bde0fcb5abc425b37","version_end_inclusive":false,"cpe23_uri":"cve5:linux:linux:6fa01ccd883021105e9f8af7d04b9f156fa3494a:8dbed691e43a50903658130bde0fcb5abc425b37"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"6fa01ccd883021105e9f8af7d04b9f156fa3494a","version_start_inclusive":true,"version_end":"9b40bdc2a3298225dffab8158208a0d8c6300578","version_end_inclusive":false,"cpe23_uri":"cve5:linux:linux:6fa01ccd883021105e9f8af7d04b9f156fa3494a:9b40bdc2a3298225dffab8158208a0d8c6300578"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"6fa01ccd883021105e9f8af7d04b9f156fa3494a","version_start_inclusive":true,"version_end":"fd470f0a97b8e9a125f520265d2f3b088ffb5b8a","version_end_inclusive":false,"cpe23_uri":"cve5:linux:linux:6fa01ccd883021105e9f8af7d04b9f156fa3494a:fd470f0a97b8e9a125f520265d2f3b088ffb5b8a"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"6fa01ccd883021105e9f8af7d04b9f156fa3494a","version_start_inclusive":true,"version_end":"ceafb893b12f23331dcc5ff9587e643c3a40ee9f","version_end_inclusive":false,"cpe23_uri":"cve5:linux:linux:6fa01ccd883021105e9f8af7d04b9f156fa3494a:ceafb893b12f23331dcc5ff9587e643c3a40ee9f"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"6fa01ccd883021105e9f8af7d04b9f156fa3494a","version_start_inclusive":true,"version_end":"2e0e74c59b2761a414d9f48d7bee1e45220b2427","version_end_inclusive":false,"cpe23_uri":"cve5:linux:linux:6fa01ccd883021105e9f8af7d04b9f156fa3494a:2e0e74c59b2761a414d9f48d7bee1e45220b2427"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"6fa01ccd883021105e9f8af7d04b9f156fa3494a","version_start_inclusive":true,"version_end":"96a4713ae041cc85e712bac682cd2e644004d6c6","version_end_inclusive":false,"cpe23_uri":"cve5:linux:linux:6fa01ccd883021105e9f8af7d04b9f156fa3494a:96a4713ae041cc85e712bac682cd2e644004d6c6"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"6fa01ccd883021105e9f8af7d04b9f156fa3494a","version_start_inclusive":true,"version_end":"474d6c771d798bca84f0a140b611e36743511e18","version_end_inclusive":false,"cpe23_uri":"cve5:linux:linux:6fa01ccd883021105e9f8af7d04b9f156fa3494a:474d6c771d798bca84f0a140b611e36743511e18"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"6fa01ccd883021105e9f8af7d04b9f156fa3494a","version_start_inclusive":true,"version_end":"98d0912e9f841e5529a5b89a972805f34cb1c69d","version_end_inclusive":false,"cpe23_uri":"cve5:linux:linux:6fa01ccd883021105e9f8af7d04b9f156fa3494a:98d0912e9f841e5529a5b89a972805f34cb1c69d"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"4.7","version_start_inclusive":true,"version_end":"4.7","version_end_inclusive":true,"cpe23_uri":"cve5:linux:linux:4.7:4.7"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"0","version_start_inclusive":true,"version_end":"4.7","version_end_inclusive":false,"cpe23_uri":"cve5:linux:linux:0:4.7"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"5.10.259","version_start_inclusive":true,"version_end":"5.10.*","version_end_inclusive":true,"cpe23_uri":"cve5:linux:linux:5.10.259:5.10.*"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"5.15.210","version_start_inclusive":true,"version_end":"5.15.*","version_end_inclusive":true,"cpe23_uri":"cve5:linux:linux:5.15.210:5.15.*"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"6.1.176","version_start_inclusive":true,"version_end":"6.1.*","version_end_inclusive":true,"cpe23_uri":"cve5:linux:linux:6.1.176:6.1.*"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"6.6.143","version_start_inclusive":true,"version_end":"6.6.*","version_end_inclusive":true,"cpe23_uri":"cve5:linux:linux:6.6.143:6.6.*"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"6.12.93","version_start_inclusive":true,"version_end":"6.12.*","version_end_inclusive":true,"cpe23_uri":"cve5:linux:linux:6.12.93:6.12.*"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"6.18.35","version_start_inclusive":true,"version_end":"6.18.*","version_end_inclusive":true,"cpe23_uri":"cve5:linux:linux:6.18.35:6.18.*"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"7.0.12","version_start_inclusive":true,"version_end":"7.0.*","version_end_inclusive":true,"cpe23_uri":"cve5:linux:linux:7.0.12:7.0.*"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"7.1","version_start_inclusive":true,"version_end":"*","version_end_inclusive":true,"cpe23_uri":"cve5:linux:linux:7.1:*"}],"exploit_refs":[],"news":[],"references":[{"url":"https://git.kernel.org/stable/c/8dbed691e43a50903658130bde0fcb5abc425b37","source_type":"MISC","tags":[]},{"url":"https://git.kernel.org/stable/c/9b40bdc2a3298225dffab8158208a0d8c6300578","source_type":"MISC","tags":[]},{"url":"https://git.kernel.org/stable/c/fd470f0a97b8e9a125f520265d2f3b088ffb5b8a","source_type":"MISC","tags":[]},{"url":"https://git.kernel.org/stable/c/ceafb893b12f23331dcc5ff9587e643c3a40ee9f","source_type":"MISC","tags":[]},{"url":"https://git.kernel.org/stable/c/2e0e74c59b2761a414d9f48d7bee1e45220b2427","source_type":"MISC","tags":[]},{"url":"https://git.kernel.org/stable/c/96a4713ae041cc85e712bac682cd2e644004d6c6","source_type":"MISC","tags":[]},{"url":"https://git.kernel.org/stable/c/474d6c771d798bca84f0a140b611e36743511e18","source_type":"MISC","tags":[]},{"url":"https://git.kernel.org/stable/c/98d0912e9f841e5529a5b89a972805f34cb1c69d","source_type":"MISC","tags":[]}],"timeline":[{"type":"published","at":"2026-06-24T09:00:12.292000Z","label":"CVE published","source":null}]}