tipc: fix double-free in tipc_buf_append()

Summary

CVE	CVE-2026-52993
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-06-24 17:17:10 UTC
Updated	2026-06-24 17:17:10 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: tipc: fix double-free in tipc_buf_append() tipc_msg_validate() can potentially reallocate the skb it is validating, freeing the old one. In tipc_buf_append(), it was being called with a pointer to a local variable which was a copy of the caller's skb pointer. If the skb was reallocated and validation subsequently failed, the error handling path would free the original skb pointer, which had already been freed, leading to double-free. Fix this by checking if head now points to a newly allocated reassembled skb. If it does, reassign *headbuf for later freeing operations.

Risk And Classification

EPSS: 0.001760000 probability, percentile 0.073550000 (date 2026-06-25)

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected d618d09a68e4eed7a435beb2e355250f6f40664a a438975a6dcdbd70865978c021650d1485586f0b git	Not specified
CNA	Linux	Linux	affected d618d09a68e4eed7a435beb2e355250f6f40664a 4ee4deadaae7cb2e3d53af0fc889cf92a73413c0 git	Not specified
CNA	Linux	Linux	affected d618d09a68e4eed7a435beb2e355250f6f40664a d3556656c6daebf8def751c7e71d11dd0a180d24 git	Not specified
CNA	Linux	Linux	affected d618d09a68e4eed7a435beb2e355250f6f40664a 0274f24485fc38032d4093e463dc3ff5c7a667c9 git	Not specified
CNA	Linux	Linux	affected d618d09a68e4eed7a435beb2e355250f6f40664a 4d104882bc815d4ec666ace9155f5f52715879a6 git	Not specified
CNA	Linux	Linux	affected d618d09a68e4eed7a435beb2e355250f6f40664a 1d5e589055880fae229e229e1929e087dbe08cf3 git	Not specified
CNA	Linux	Linux	affected d618d09a68e4eed7a435beb2e355250f6f40664a 29940fff14110ca48c5ccc168d121665b51bb778 git	Not specified
CNA	Linux	Linux	affected d618d09a68e4eed7a435beb2e355250f6f40664a d293ca716e7d5dffdaecaf6b9b2f857a33dc3d3a git	Not specified
CNA	Linux	Linux	affected 4.15	Not specified
CNA	Linux	Linux	unaffected 4.15 semver	Not specified
CNA	Linux	Linux	unaffected 5.10.258 5.10.* semver	Not specified
CNA	Linux	Linux	unaffected 5.15.209 5.15.* semver	Not specified
CNA	Linux	Linux	unaffected 6.1.175 6.1.* semver	Not specified
CNA	Linux	Linux	unaffected 6.6.141 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.12.91 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.18.33 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0.10 7.0.* semver	Not specified
CNA	Linux	Linux	unaffected 7.1 * original_commit_for_fix	Not specified

References

Reference	Source	Link	Tags
git.kernel.org/stable/c/4ee4deadaae7cb2e3d53af0fc889cf92a73413c0	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/d293ca716e7d5dffdaecaf6b9b2f857a33dc3d3a	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/a438975a6dcdbd70865978c021650d1485586f0b	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/29940fff14110ca48c5ccc168d121665b51bb778	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/d3556656c6daebf8def751c7e71d11dd0a180d24	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/4d104882bc815d4ec666ace9155f5f52715879a6	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/0274f24485fc38032d4093e463dc3ff5c7a667c9	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/1d5e589055880fae229e229e1929e087dbe08cf3	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.