CVE-2026-53362 in Linux
Summary
by MITRE • 07/04/2026
In the Linux kernel, the following vulnerability has been resolved:
ipv6: account for fraggap on the paged allocation path
In __ip6_append_data(), when the paged-allocation branch is taken (MSG_MORE / NETIF_F_SG / large fraglen), alloclen and pagedlen are computed as
alloclen = fragheaderlen + transhdrlen; pagedlen = datalen - transhdrlen;
datalen already includes fraggap (datalen = length + fraggap). When fraggap is non-zero, this is not the first skb and transhdrlen is zero. The fraggap bytes carried over from the previous skb are copied just past the fragment headers in the new skb's linear area. The linear area is therefore undersized by fraggap bytes while pagedlen is overstated by the same amount, and the copy writes past skb->end into the trailing skb_shared_info.
An unprivileged user can trigger this via a UDPv6 socket using MSG_MORE together with MSG_SPLICE_PAGES.
The bad accounting was introduced by commit 773ba4fe9104 ("ipv6: avoid partial copy for zc"). Before commit ce650a166335 ("udp6: Fix __ip6_append_data()'s handling of MSG_SPLICE_PAGES"), the negative copy value caused -EINVAL to be returned. That later commit allowed MSG_SPLICE_PAGES to proceed in this case, making the corruption triggerable.
The non-paged branch sets alloclen to fraglen, which already accounts for fraggap because datalen does. Bring the paged branch in line by adding fraggap to alloclen and subtracting it from pagedlen.
After this adjustment, copy no longer collapses to -fraggap on the paged path, so remove the stale comment describing that old arithmetic. Since a negative copy is no longer expected for a valid MSG_SPLICE_PAGES case, remove the MSG_SPLICE_PAGES exception from the negative copy check.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/04/2026
This vulnerability exists in the linux kernel's ipv6 implementation within the __ip6_append_data() function where improper memory accounting occurs during paged allocation operations. The flaw specifically affects scenarios involving UDPv6 sockets with MSG_MORE flag combined with MSG_SPLICE_PAGES, creating a condition where fraggap bytes are not properly accounted for in memory calculations. When the paged-allocation branch is executed due to large fragment lengths or specific network features like NETIF_F_SG, the system computes alloclen and pagedlen incorrectly by failing to adjust for fraggap values that already exist within datalen. This miscalculation results in an undersized linear memory area while simultaneously overstating the paged data length, causing memory corruption when data is copied beyond the intended skb->end boundary into the trailing skb_shared_info structure.
The technical root cause stems from a problematic commit 773ba4fe9104 that introduced optimizations for zero-copy operations but failed to properly account for fraggap handling in the paged allocation path. Prior to commit ce650a166335, this incorrect accounting would have resulted in -EINVAL errors being returned, effectively preventing exploitation. However, the subsequent commit allowed MSG_SPLICE_PAGES to proceed despite negative copy values, transforming what was previously a safe error condition into an exploitable memory corruption vulnerability. The vulnerability manifests when an unprivileged user crafts specific socket operations that trigger the paged allocation path with fraggap values, leading to buffer overflows that can corrupt kernel memory structures and potentially enable privilege escalation or system instability.
The operational impact of this vulnerability extends beyond simple memory corruption as it represents a serious security risk that could be exploited by local unprivileged users to compromise system integrity. The flaw affects systems running linux kernels where the specific ipv6 networking path is utilized, particularly those handling UDPv6 traffic with MSG_MORE and MSG_SPLICE_PAGES flags. Attackers can leverage this vulnerability through crafted socket operations that force the kernel into the problematic code path, potentially leading to denial of service conditions or more severe exploitation outcomes depending on the system configuration and available attack surface. The vulnerability aligns with CWE-121 stack-based buffer overflow and CWE-787 out-of-bounds write categories, while also mapping to ATT&CK technique T1068 privilege escalation through kernel memory corruption.
Mitigation strategies should focus on applying the upstream kernel patch that corrects the memory accounting by ensuring fraggap is properly added to alloclen and subtracted from pagedlen in the paged allocation branch. System administrators should prioritize updating affected kernel versions to prevent exploitation, particularly in environments where unprivileged users have network access or where UDPv6 services are exposed. The fix also involves removing stale comments that described the previous incorrect arithmetic and eliminating the MSG_SPLICE_PAGES exception from negative copy value checks since those conditions are no longer expected for valid operations. Organizations should monitor their kernel versions and apply security patches promptly, as this vulnerability represents a persistent risk in older kernel releases where the specific accounting fix has not been implemented, making it critical to maintain current kernel security updates across all production systems.