CVE-2026-52935
Reported by Linux · Published June 24, 2026
In the Linux kernel, the following vulnerability has been resolved: xfrm: espintcp: do not reuse an in-progress partial send espintcp keeps a single in-flight transmit in ctx->partial. Before building a new sk_msg, espintcp_sendmsg() first tries to flush that state through espintcp_push_msgs(). For blocking callers, espintcp_push_msgs() may return success even when the previous partial send is still pending. espintcp_sendmsg() would then reinitialize emsg->skmsg and reuse ctx->partial while the old transfer still owns that state. Do not rebuild the send message when ctx->partial is still in progress. If espintcp_push_msgs() returns with emsg->len still set, fail the new send instead of overwriting the live partial state. This is a memory-safety fix: reusing the live partial-send state can leave a stale offset attached to a new sk_msg and lead to an out-of- bounds read in the send path. tcp_sendmsg_locked() already handles waiting for send buffer memory, so the fix here is just to preserve espintcp's one-message-at-a-time transmit state.
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linux | Linux | e27cca96cd68fa2c6814c90f9a1cfd36bb68c593, e27cca96cd68fa2c6814c90f9a1cfd36bb68c593, e27cca96cd68fa2c6814c90f9a1cfd36bb68c593 |
| Linux | Linux | 5.6, 0, 5.10.259 |
| Linux | Linux | 7.1, e27cca96cd68fa2c6814c90f9a1cfd36bb68c593, e27cca96cd68fa2c6814c90f9a1cfd36bb68c593 |
| linux | linux_kernel | 5.6, 5.6, 5.6 |
Timeline
- Jun 24, 2026 CVE Published
- Jun 25, 2026 Coalition ESS Score