VDB

CVE-2026-52935

CVE-2026-52935 PUBLISHED CVSS 7.8 HIGH

Reported by Linux · Published June 24, 2026

In the Linux kernel, the following vulnerability has been resolved: xfrm: espintcp: do not reuse an in-progress partial send espintcp keeps a single in-flight transmit in ctx->partial. Before building a new sk_msg, espintcp_sendmsg() first tries to flush that state through espintcp_push_msgs(). For blocking callers, espintcp_push_msgs() may return success even when the previous partial send is still pending. espintcp_sendmsg() would then reinitialize emsg->skmsg and reuse ctx->partial while the old transfer still owns that state. Do not rebuild the send message when ctx->partial is still in progress. If espintcp_push_msgs() returns with emsg->len still set, fail the new send instead of overwriting the live partial state. This is a memory-safety fix: reusing the live partial-send state can leave a stale offset attached to a new sk_msg and lead to an out-of- bounds read in the send path. tcp_sendmsg_locked() already handles waiting for send buffer memory, so the fix here is just to preserve espintcp's one-message-at-a-time transmit state.

Risk Scores

CVSS 3.1
7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersions
LinuxLinuxe27cca96cd68fa2c6814c90f9a1cfd36bb68c593, e27cca96cd68fa2c6814c90f9a1cfd36bb68c593, e27cca96cd68fa2c6814c90f9a1cfd36bb68c593
LinuxLinux5.6, 0, 5.10.259
LinuxLinux7.1, e27cca96cd68fa2c6814c90f9a1cfd36bb68c593, e27cca96cd68fa2c6814c90f9a1cfd36bb68c593
linuxlinux_kernel5.6, 5.6, 5.6

Timeline

  • Jun 24, 2026 CVE Published
  • Jun 25, 2026 Coalition ESS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›