CVE-2026-53362
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
04/07/2026
Last modified:
04/07/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
ipv6: account for fraggap on the paged allocation path<br />
<br />
In __ip6_append_data(), when the paged-allocation branch is taken<br />
(MSG_MORE / NETIF_F_SG / large fraglen), alloclen and pagedlen are<br />
computed as<br />
<br />
alloclen = fragheaderlen + transhdrlen;<br />
pagedlen = datalen - transhdrlen;<br />
<br />
datalen already includes fraggap (datalen = length + fraggap). When<br />
fraggap is non-zero, this is not the first skb and transhdrlen is zero.<br />
The fraggap bytes carried over from the previous skb are copied just past<br />
the fragment headers in the new skb&#39;s linear area. The linear area is<br />
therefore undersized by fraggap bytes while pagedlen is overstated by the<br />
same amount, and the copy writes past skb->end into the trailing<br />
skb_shared_info.<br />
<br />
An unprivileged user can trigger this via a UDPv6 socket using<br />
MSG_MORE together with MSG_SPLICE_PAGES.<br />
<br />
The bad accounting was introduced by commit 773ba4fe9104 ("ipv6:<br />
avoid partial copy for zc"). Before commit ce650a166335 ("udp6: Fix<br />
__ip6_append_data()&#39;s handling of MSG_SPLICE_PAGES"), the negative<br />
copy value caused -EINVAL to be returned. That later commit allowed<br />
MSG_SPLICE_PAGES to proceed in this case, making the corruption<br />
triggerable.<br />
<br />
The non-paged branch sets alloclen to fraglen, which already accounts<br />
for fraggap because datalen does. Bring the paged branch in line by<br />
adding fraggap to alloclen and subtracting it from pagedlen.<br />
<br />
After this adjustment, copy no longer collapses to -fraggap on the<br />
paged path, so remove the stale comment describing that old arithmetic.<br />
Since a negative copy is no longer expected for a valid MSG_SPLICE_PAGES<br />
case, remove the MSG_SPLICE_PAGES exception from the negative copy check.
Impact
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/14200d435af9a9eeb444f529fc2f689a236b7962
- https://git.kernel.org/stable/c/46f201f8b4c39633a1fa3dc12459f506d470993d
- https://git.kernel.org/stable/c/6374fb9edf72c67a118a2c214a0dddd04c921e0a
- https://git.kernel.org/stable/c/65fb14cbebb0cd0eff903a22d33537ddc8b95769
- https://git.kernel.org/stable/c/736b380e28d0480c7bc3e022f1950f31fe53a7c5
- https://git.kernel.org/stable/c/e9eacf19281ea2498b36291b56c9606118c2d74e



