CVE-2026-53236 in Linux
Summary
by MITRE • 06/25/2026
In the Linux kernel, the following vulnerability has been resolved:
tcp: restrict SO_ATTACH_FILTER to priv users
This patch restricts the use of SO_ATTACH_FILTER (cBPF) on TCP sockets to users with CAP_NET_ADMIN capability.
This blocks potential side-channel attack where an unprivileged application attaches a filter to leak TCP sequence/acknowledgment numbers.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/25/2026
The vulnerability addressed in this linux kernel patch represents a significant security flaw in the tcp networking subsystem that could enable unauthorized information disclosure through improper socket filtering privileges. The issue stems from the SO_ATTACH_FILTER socket option which allows users to attach Berkeley Packet Filter (bpf) programs to tcp sockets, creating a potential attack vector for side-channel information leakage.
The technical flaw lies in the insufficient privilege checking mechanism for the SO_ATTACH_FILTER functionality, which was previously accessible to unprivileged users without proper authorization. This oversight allowed any process to attach cBPF filters to tcp sockets, enabling malicious actors to potentially observe and extract sensitive sequence and acknowledgment numbers from tcp connections. The vulnerability specifically affects the tcp protocol implementation within the linux kernel's networking stack where socket filtering operations are not properly restricted based on user privileges.
The operational impact of this vulnerability is severe as it provides attackers with a method to perform passive network monitoring and information gathering without requiring elevated system privileges. An unprivileged application could exploit this weakness to construct side-channel attacks that monitor tcp sequence numbers, potentially leading to connection hijacking, session prediction, or other advanced attack techniques. This capability significantly undermines the security of tcp communications and could be leveraged in conjunction with other network-based attacks to compromise system integrity.
The mitigation implemented through this patch enforces strict privilege requirements by restricting SO_ATTACH_FILTER usage to users possessing CAP_NET_ADMIN capability, which is a privileged network administration capability within linux. This change aligns with the principle of least privilege and ensures that only properly authorized administrators can attach packet filters to tcp sockets. The solution follows established security practices for kernel-level privilege management and prevents unauthorized access to sensitive networking information through proper capability-based access controls.
This vulnerability type corresponds to CWE-276, which deals with incorrect permissions for critical resources, and aligns with ATT&CK technique T1046 for network service scanning and T1566 for social engineering through credential access. The patch demonstrates the importance of proper privilege separation in kernel networking components and reinforces the need for comprehensive security review of socket-level operations that could provide information leakage channels to unprivileged users.