{"api_version":"1","generated_at":"2026-07-17T07:10:04+00:00","cve":"CVE-2026-53366","urls":{"html":"https://cve.report/CVE-2026-53366","api":"https://cve.report/api/cve/CVE-2026-53366.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-53366","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-53366"},"summary":{"title":"ipv4: account for fraggap on the paged allocation path","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: account for fraggap on the paged allocation path\n\nIn __ip_append_data(), when the paged-allocation branch is taken,\nalloclen and pagedlen are computed as\n\n\talloclen = fragheaderlen + transhdrlen;\n\tpagedlen = datalen - transhdrlen;\n\ndatalen already includes fraggap, but the fraggap bytes carried over\nfrom the previous skb are copied into the new skb's linear area at\noffset transhdrlen by the subsequent skb_copy_and_csum_bits(). The\nlinear area is therefore undersized by fraggap bytes while pagedlen is\noverstated by the same amount.\n\nThe non-paged branch sets alloclen to fraglen, which already accounts\nfor fraggap because datalen does. Bring the paged branch in line by\nadding fraggap to alloclen and subtracting it from pagedlen.\n\nAfter this adjustment, copy no longer collapses to -fraggap on the\npaged path, so remove the stale comment describing that old arithmetic.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-07-16 06:16:27","updated_at":"2026-07-16 17:16:18"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/77798d7be6ef71e72fb6fc8a2901bf74ebc9706f","name":"https://git.kernel.org/stable/c/77798d7be6ef71e72fb6fc8a2901bf74ebc9706f","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/c04d9ece23deb9e26c19f9ca215e98b3295aa1bb","name":"https://git.kernel.org/stable/c/c04d9ece23deb9e26c19f9ca215e98b3295aa1bb","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/a9c24eda24bd15f432e37824e6fc440977cb241c","name":"https://git.kernel.org/stable/c/a9c24eda24bd15f432e37824e6fc440977cb241c","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/ce494707a9c07f27c219ca67f3e138061f53d9b3","name":"https://git.kernel.org/stable/c/ce494707a9c07f27c219ca67f3e138061f53d9b3","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/eca856950f7cb1a221e02b99d758409f2c5cec42","name":"https://git.kernel.org/stable/c/eca856950f7cb1a221e02b99d758409f2c5cec42","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-53366","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-53366","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 8eb77cc73977d88787b37c92831b1c242e035396 ce494707a9c07f27c219ca67f3e138061f53d9b3 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 8eb77cc73977d88787b37c92831b1c242e035396 a9c24eda24bd15f432e37824e6fc440977cb241c git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 8eb77cc73977d88787b37c92831b1c242e035396 77798d7be6ef71e72fb6fc8a2901bf74ebc9706f git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 8eb77cc73977d88787b37c92831b1c242e035396 c04d9ece23deb9e26c19f9ca215e98b3295aa1bb git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 8eb77cc73977d88787b37c92831b1c242e035396 eca856950f7cb1a221e02b99d758409f2c5cec42 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.0","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.0 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.144 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.95 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.38 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.1.3 7.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.2-rc1 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"53366","cve":"CVE-2026-53366","epss":"0.001910000","percentile":"0.089670000","score_date":"2026-07-16","updated_at":"2026-07-17 00:05:18"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["net/ipv4/ip_output.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"ce494707a9c07f27c219ca67f3e138061f53d9b3","status":"affected","version":"8eb77cc73977d88787b37c92831b1c242e035396","versionType":"git"},{"lessThan":"a9c24eda24bd15f432e37824e6fc440977cb241c","status":"affected","version":"8eb77cc73977d88787b37c92831b1c242e035396","versionType":"git"},{"lessThan":"77798d7be6ef71e72fb6fc8a2901bf74ebc9706f","status":"affected","version":"8eb77cc73977d88787b37c92831b1c242e035396","versionType":"git"},{"lessThan":"c04d9ece23deb9e26c19f9ca215e98b3295aa1bb","status":"affected","version":"8eb77cc73977d88787b37c92831b1c242e035396","versionType":"git"},{"lessThan":"eca856950f7cb1a221e02b99d758409f2c5cec42","status":"affected","version":"8eb77cc73977d88787b37c92831b1c242e035396","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["net/ipv4/ip_output.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"6.0"},{"lessThan":"6.0","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.144","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.95","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.38","versionType":"semver"},{"lessThanOrEqual":"7.1.*","status":"unaffected","version":"7.1.3","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.2-rc1","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.144","versionStartIncluding":"6.0","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.95","versionStartIncluding":"6.0","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.38","versionStartIncluding":"6.0","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.1.3","versionStartIncluding":"6.0","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.2-rc1","versionStartIncluding":"6.0","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: account for fraggap on the paged allocation path\n\nIn __ip_append_data(), when the paged-allocation branch is taken,\nalloclen and pagedlen are computed as\n\n\talloclen = fragheaderlen + transhdrlen;\n\tpagedlen = datalen - transhdrlen;\n\ndatalen already includes fraggap, but the fraggap bytes carried over\nfrom the previous skb are copied into the new skb's linear area at\noffset transhdrlen by the subsequent skb_copy_and_csum_bits(). The\nlinear area is therefore undersized by fraggap bytes while pagedlen is\noverstated by the same amount.\n\nThe non-paged branch sets alloclen to fraglen, which already accounts\nfor fraggap because datalen does. Bring the paged branch in line by\nadding fraggap to alloclen and subtracting it from pagedlen.\n\nAfter this adjustment, copy no longer collapses to -fraggap on the\npaged path, so remove the stale comment describing that old arithmetic."}],"providerMetadata":{"dateUpdated":"2026-07-16T05:13:40.893Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/ce494707a9c07f27c219ca67f3e138061f53d9b3"},{"url":"https://git.kernel.org/stable/c/a9c24eda24bd15f432e37824e6fc440977cb241c"},{"url":"https://git.kernel.org/stable/c/77798d7be6ef71e72fb6fc8a2901bf74ebc9706f"},{"url":"https://git.kernel.org/stable/c/c04d9ece23deb9e26c19f9ca215e98b3295aa1bb"},{"url":"https://git.kernel.org/stable/c/eca856950f7cb1a221e02b99d758409f2c5cec42"}],"title":"ipv4: account for fraggap on the paged allocation path","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-53366","datePublished":"2026-07-16T05:13:40.893Z","dateReserved":"2026-06-09T07:44:35.400Z","dateUpdated":"2026-07-16T05:13:40.893Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-07-16 06:16:27","lastModifiedDate":"2026-07-16 17:16:18","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"53366","Ordinal":"1","Title":"ipv4: account for fraggap on the paged allocation path","CVE":"CVE-2026-53366","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"53366","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: account for fraggap on the paged allocation path\n\nIn __ip_append_data(), when the paged-allocation branch is taken,\nalloclen and pagedlen are computed as\n\n\talloclen = fragheaderlen + transhdrlen;\n\tpagedlen = datalen - transhdrlen;\n\ndatalen already includes fraggap, but the fraggap bytes carried over\nfrom the previous skb are copied into the new skb's linear area at\noffset transhdrlen by the subsequent skb_copy_and_csum_bits(). The\nlinear area is therefore undersized by fraggap bytes while pagedlen is\noverstated by the same amount.\n\nThe non-paged branch sets alloclen to fraglen, which already accounts\nfor fraggap because datalen does. Bring the paged branch in line by\nadding fraggap to alloclen and subtracting it from pagedlen.\n\nAfter this adjustment, copy no longer collapses to -fraggap on the\npaged path, so remove the stale comment describing that old arithmetic.","Type":"Description","Title":"ipv4: account for fraggap on the paged allocation path"}]}}}