CVE-2026-53151
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk39th percentile — higher than 39% of all known CVEs
Summary
In the Linux kernel's AF_RXRPC subsystem, a vulnerability was found where the ACK parser incorrectly accesses the SACK buffer in received UDP packets. The rxrpc_input_soft_acks() function modifies the skbuff and may read data incorrectly in fragmented packets, while skb_condense() can silently fail to condense the buffer, leading to parsing errors.
Risk Assessment
An attacker could craft a fragmented UDP packet to cause incorrect reading of the SACK table, potentially leading to data disclosure or system instability.
Recommendation
Immediately update the Linux kernel to a version containing the fix that removes the unnecessary skb_condense() call and ensures safe copying of the SACK table before parsing.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix the ACK parser to extract the SACK table for parsing Fix modification of the received skbuff in rxrpc_input_soft_acks() and a potential incorrect access of the buffer in a fragmented UDP packet (the packet would probably have to be deliberately pre-generated as fragmented) when AF_RXRPC tries to extract the contents of the SACK table by copying out the contents of the SACK table into a buffer before attempting to parse AF_RXRPC assumes that it can just call skb_condense() and then validly access the SACK table from skb->data and that it will be a flat buffer - but skb_condense() can silently fail to do anything under some circumstances. Note that whilst rxrpc_input_soft_acks() should be able to parse extended ACKs, the rest of AF_RXRPC doesn't currently support that. Further, there's then no need to call skb_condense() in rxrpc_input_ack(), so don't.

