udp: clear skb->dev before running a sockmap verdict

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2026-53184
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-06-25 09:16:35 UTC
Updated2026-06-25 09:16:35 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: udp: clear skb->dev before running a sockmap verdict On the UDP receive path skb->dev is repurposed as dev_scratch (the truesize/state cache set by udp_set_dev_scratch()), through the union { struct net_device *dev; unsigned long dev_scratch; } in sk_buff. When a UDP socket is in a sockmap, sk_data_ready is sk_psock_verdict_data_ready(), which calls udp_read_skb() -> recv_actor() (sk_psock_verdict_recv) to run the attached SK_SKB verdict program in softirq. If that program calls a socket-lookup helper (bpf_sk_lookup_tcp/udp, bpf_skc_lookup_tcp), bpf_skc_lookup() does: if (skb->dev) caller_net = dev_net(skb->dev); skb->dev still holds the dev_scratch value (a non-NULL integer), so dev_net() dereferences it as a struct net_device * and the kernel takes a general protection fault on a non-canonical address in softirq: Oops: general protection fault, probably for non-canonical address 0x1010000800004a0 CPU: 1 UID: 0 PID: 1406 Comm: syz.2.19 Not tainted 7.1.0-rc6 #1 PREEMPT(full) RIP: 0010:bpf_skc_lookup net/core/filter.c:7033 [inline] RIP: 0010:bpf_sk_lookup+0x45/0x160 net/core/filter.c:7047 Call Trace: <IRQ> bpf_prog_4675cb904b7071f8+0x12e/0x14e bpf_prog_run_pin_on_cpu+0xc6/0x1f0 sk_psock_verdict_recv+0x1ba/0x350 udp_read_skb+0x31a/0x370 sk_psock_verdict_data_ready+0x2e3/0x600 __udp_enqueue_schedule_skb+0x4c8/0x650 udpv6_queue_rcv_one_skb+0x3ec/0x740 udp6_unicast_rcv_skb+0x11d/0x140 ip6_protocol_deliver_rcu+0x61e/0x950 ip6_input_finish+0xa9/0x150 NF_HOOK+0x286/0x2f0 ip6_input+0x117/0x220 NF_HOOK+0x286/0x2f0 __netif_receive_skb+0x85/0x200 process_backlog+0x374/0x9a0 __napi_poll+0x4f/0x1c0 net_rx_action+0x3b0/0x770 handle_softirqs+0x15a/0x460 do_softirq+0x57/0x80 </IRQ> The rmem charge that dev_scratch accounted for is released by skb_recv_udp() on dequeue, just above, so the scratch is dead by the time recv_actor() runs. Clear skb->dev so bpf_skc_lookup() falls back to sock_net(skb->sk), which skb_set_owner_sk_safe() set just above.

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected 965b57b469a589d64d81b1688b38dcb537011bb0 263779a6beff03b8b06f6d25566cb0f45af361f2 git Not specified
CNA Linux Linux affected 965b57b469a589d64d81b1688b38dcb537011bb0 1b585673a2249f13678e7ac443ac683ba767e0b6 git Not specified
CNA Linux Linux affected 965b57b469a589d64d81b1688b38dcb537011bb0 90d35188aaa92b8f8b23f66335e0e91bf60103a3 git Not specified
CNA Linux Linux affected 965b57b469a589d64d81b1688b38dcb537011bb0 6822eed69572000a181fa4e31fceacc60918c471 git Not specified
CNA Linux Linux affected 965b57b469a589d64d81b1688b38dcb537011bb0 7d6d92d000ebe3a845a17c165c1d3a70c5d84fe1 git Not specified
CNA Linux Linux affected 965b57b469a589d64d81b1688b38dcb537011bb0 3c94f241f776562c489876ff506f366224565c21 git Not specified
CNA Linux Linux affected 6.0 Not specified
CNA Linux Linux unaffected 6.0 semver Not specified
CNA Linux Linux unaffected 6.1.176 6.1.* semver Not specified
CNA Linux Linux unaffected 6.6.143 6.6.* semver Not specified
CNA Linux Linux unaffected 6.12.94 6.12.* semver Not specified
CNA Linux Linux unaffected 6.18.36 6.18.* semver Not specified
CNA Linux Linux unaffected 7.0.13 7.0.* semver Not specified
CNA Linux Linux unaffected 7.1 * original_commit_for_fix Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/90d35188aaa92b8f8b23f66335e0e91bf60103a3 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/263779a6beff03b8b06f6d25566cb0f45af361f2 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/1b585673a2249f13678e7ac443ac683ba767e0b6 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/6822eed69572000a181fa4e31fceacc60918c471 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/7d6d92d000ebe3a845a17c165c1d3a70c5d84fe1 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/3c94f241f776562c489876ff506f366224565c21 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report