{"cve":{"cve_id":"CVE-2026-53184","is_kev":false,"kev_date_added":null,"kev_vendor_project":null,"kev_product":null,"kev_vulnerability_name":null,"kev_short_description":null,"kev_required_action":null,"kev_due_date":null,"kev_known_ransomware":null,"kev_notes":null,"kev_cwes":null,"epss_score":null,"epss_percentile":null,"epss_as_of":null,"description":"In the Linux kernel, the following vulnerability has been resolved:\n\nudp: clear skb->dev before running a sockmap verdict\n\nOn the UDP receive path skb->dev is repurposed as dev_scratch (the\ntruesize/state cache set by udp_set_dev_scratch()), through the\nunion { struct net_device *dev; unsigned long dev_scratch; } in sk_buff.\n\nWhen a UDP socket is in a sockmap, sk_data_ready is\nsk_psock_verdict_data_ready(), which calls udp_read_skb() -> recv_actor()\n(sk_psock_verdict_recv) to run the attached SK_SKB verdict program in softirq.\nIf that program calls a socket-lookup helper (bpf_sk_lookup_tcp/udp,\nbpf_skc_lookup_tcp), bpf_skc_lookup() does:\n\n\tif (skb->dev)\n\t\tcaller_net = dev_net(skb->dev);\n\nskb->dev still holds the dev_scratch value (a non-NULL integer), so dev_net()\ndereferences it as a struct net_device * and the kernel takes a general\nprotection fault on a non-canonical address in softirq:\n\n  Oops: general protection fault, probably for non-canonical address 0x1010000800004a0\n  CPU: 1 UID: 0 PID: 1406 Comm: syz.2.19 Not tainted 7.1.0-rc6 #1 PREEMPT(full)\n  RIP: 0010:bpf_skc_lookup net/core/filter.c:7033 [inline]\n  RIP: 0010:bpf_sk_lookup+0x45/0x160 net/core/filter.c:7047\n  Call Trace:\n   <IRQ>\n   bpf_prog_4675cb904b7071f8+0x12e/0x14e\n   bpf_prog_run_pin_on_cpu+0xc6/0x1f0\n   sk_psock_verdict_recv+0x1ba/0x350\n   udp_read_skb+0x31a/0x370\n   sk_psock_verdict_data_ready+0x2e3/0x600\n   __udp_enqueue_schedule_skb+0x4c8/0x650\n   udpv6_queue_rcv_one_skb+0x3ec/0x740\n   udp6_unicast_rcv_skb+0x11d/0x140\n   ip6_protocol_deliver_rcu+0x61e/0x950\n   ip6_input_finish+0xa9/0x150\n   NF_HOOK+0x286/0x2f0\n   ip6_input+0x117/0x220\n   NF_HOOK+0x286/0x2f0\n   __netif_receive_skb+0x85/0x200\n   process_backlog+0x374/0x9a0\n   __napi_poll+0x4f/0x1c0\n   net_rx_action+0x3b0/0x770\n   handle_softirqs+0x15a/0x460\n   do_softirq+0x57/0x80\n   </IRQ>\n\nThe rmem charge that dev_scratch accounted for is released by skb_recv_udp() on\ndequeue, just above, so the scratch is dead by the time recv_actor() runs. Clear\nskb->dev so bpf_skc_lookup() falls back to sock_net(skb->sk), which\nskb_set_owner_sk_safe() set just above.","published_at":"2026-06-25T08:38:58.189000Z","last_modified_at":null,"cvss_v3_score":7.5,"cvss_v3_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","cvss_v3_severity":"HIGH","cvss_v4_score":null,"cvss_v4_vector":null,"cvss_v4_severity":null,"ssvc_decision":null,"ssvc_exploitation":null,"ssvc_automatable":null,"ssvc_technical_impact":null,"cwes":null,"nvd_references":["https://git.kernel.org/stable/c/263779a6beff03b8b06f6d25566cb0f45af361f2","https://git.kernel.org/stable/c/1b585673a2249f13678e7ac443ac683ba767e0b6","https://git.kernel.org/stable/c/90d35188aaa92b8f8b23f66335e0e91bf60103a3","https://git.kernel.org/stable/c/6822eed69572000a181fa4e31fceacc60918c471","https://git.kernel.org/stable/c/7d6d92d000ebe3a845a17c165c1d3a70c5d84fe1","https://git.kernel.org/stable/c/3c94f241f776562c489876ff506f366224565c21"],"vuln_status":null,"trending_score":null,"is_trending":false,"has_trended":false,"trended_number_one":false,"trending_peak_score":null,"trending_peak_rank":null,"started_trending_at":null,"trended_number_one_at":null,"summary_generated":null,"summary_generated_at":null,"summary_model":null,"created_at":"2026-06-28T17:55:28.590503Z","updated_at":"2026-06-28T23:30:51.545322Z"},"effective_severity":"HIGH","badges":[],"impact_analysis":[],"cvss_v3_decoded":{"version":"3.1","metrics":[{"metric":"AV","name":"Attack Vector","value":"N","value_label":"Network"},{"metric":"AC","name":"Attack Complexity","value":"L","value_label":"Low"},{"metric":"PR","name":"Privileges Required","value":"N","value_label":"None"},{"metric":"UI","name":"User Interaction","value":"N","value_label":"None"},{"metric":"S","name":"Scope","value":"U","value_label":"Unchanged"},{"metric":"C","name":"Confidentiality","value":"N","value_label":"None"},{"metric":"I","name":"Integrity","value":"N","value_label":"None"},{"metric":"A","name":"Availability","value":"H","value_label":"High"}]},"cvss_v4_decoded":{"version":null,"metrics":[]},"affected":[{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"965b57b469a589d64d81b1688b38dcb537011bb0","version_start_inclusive":true,"version_end":"263779a6beff03b8b06f6d25566cb0f45af361f2","version_end_inclusive":false,"cpe23_uri":"cve5:linux:linux:965b57b469a589d64d81b1688b38dcb537011bb0:263779a6beff03b8b06f6d25566cb0f45af361f2"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"965b57b469a589d64d81b1688b38dcb537011bb0","version_start_inclusive":true,"version_end":"1b585673a2249f13678e7ac443ac683ba767e0b6","version_end_inclusive":false,"cpe23_uri":"cve5:linux:linux:965b57b469a589d64d81b1688b38dcb537011bb0:1b585673a2249f13678e7ac443ac683ba767e0b6"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"965b57b469a589d64d81b1688b38dcb537011bb0","version_start_inclusive":true,"version_end":"90d35188aaa92b8f8b23f66335e0e91bf60103a3","version_end_inclusive":false,"cpe23_uri":"cve5:linux:linux:965b57b469a589d64d81b1688b38dcb537011bb0:90d35188aaa92b8f8b23f66335e0e91bf60103a3"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"965b57b469a589d64d81b1688b38dcb537011bb0","version_start_inclusive":true,"version_end":"6822eed69572000a181fa4e31fceacc60918c471","version_end_inclusive":false,"cpe23_uri":"cve5:linux:linux:965b57b469a589d64d81b1688b38dcb537011bb0:6822eed69572000a181fa4e31fceacc60918c471"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"965b57b469a589d64d81b1688b38dcb537011bb0","version_start_inclusive":true,"version_end":"7d6d92d000ebe3a845a17c165c1d3a70c5d84fe1","version_end_inclusive":false,"cpe23_uri":"cve5:linux:linux:965b57b469a589d64d81b1688b38dcb537011bb0:7d6d92d000ebe3a845a17c165c1d3a70c5d84fe1"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"965b57b469a589d64d81b1688b38dcb537011bb0","version_start_inclusive":true,"version_end":"3c94f241f776562c489876ff506f366224565c21","version_end_inclusive":false,"cpe23_uri":"cve5:linux:linux:965b57b469a589d64d81b1688b38dcb537011bb0:3c94f241f776562c489876ff506f366224565c21"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"6.0","version_start_inclusive":true,"version_end":"6.0","version_end_inclusive":true,"cpe23_uri":"cve5:linux:linux:6.0:6.0"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"0","version_start_inclusive":true,"version_end":"6.0","version_end_inclusive":false,"cpe23_uri":"cve5:linux:linux:0:6.0"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"6.1.176","version_start_inclusive":true,"version_end":"6.1.*","version_end_inclusive":true,"cpe23_uri":"cve5:linux:linux:6.1.176:6.1.*"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"6.6.143","version_start_inclusive":true,"version_end":"6.6.*","version_end_inclusive":true,"cpe23_uri":"cve5:linux:linux:6.6.143:6.6.*"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"6.12.94","version_start_inclusive":true,"version_end":"6.12.*","version_end_inclusive":true,"cpe23_uri":"cve5:linux:linux:6.12.94:6.12.*"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"6.18.36","version_start_inclusive":true,"version_end":"6.18.*","version_end_inclusive":true,"cpe23_uri":"cve5:linux:linux:6.18.36:6.18.*"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"7.0.13","version_start_inclusive":true,"version_end":"7.0.*","version_end_inclusive":true,"cpe23_uri":"cve5:linux:linux:7.0.13:7.0.*"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"7.1","version_start_inclusive":true,"version_end":"*","version_end_inclusive":true,"cpe23_uri":"cve5:linux:linux:7.1:*"}],"exploit_refs":[],"news":[],"references":[{"url":"https://git.kernel.org/stable/c/263779a6beff03b8b06f6d25566cb0f45af361f2","source_type":"MISC","tags":[]},{"url":"https://git.kernel.org/stable/c/1b585673a2249f13678e7ac443ac683ba767e0b6","source_type":"MISC","tags":[]},{"url":"https://git.kernel.org/stable/c/90d35188aaa92b8f8b23f66335e0e91bf60103a3","source_type":"MISC","tags":[]},{"url":"https://git.kernel.org/stable/c/6822eed69572000a181fa4e31fceacc60918c471","source_type":"MISC","tags":[]},{"url":"https://git.kernel.org/stable/c/7d6d92d000ebe3a845a17c165c1d3a70c5d84fe1","source_type":"MISC","tags":[]},{"url":"https://git.kernel.org/stable/c/3c94f241f776562c489876ff506f366224565c21","source_type":"MISC","tags":[]}],"timeline":[{"type":"published","at":"2026-06-25T08:38:58.189000Z","label":"CVE published","source":null}]}