CVE-2026-53233
HighCVSS 7.8Exploitation Probability (EPSS)
Low risk7th percentile — higher than 7% of all known CVEs
Summary
A double-free vulnerability was found in the Linux kernel in the netdev_nl_bind_rx_doit() function. The error path incorrectly calls nlmsg_free() after genlmsg_reply() already consumed the skb, causing a double-free.
Risk Assessment
Double-free memory corruption can lead to system crashes (kernel panic) or potentially privilege escalation if exploited by a local user.
Recommendation
Immediately update the Linux kernel to a version containing the fix that removes the nlmsg_free() call in the error path and propagates the error to the user.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: netdev: fix double-free in netdev_nl_bind_rx_doit() Sashiko flags that genlmsg_reply() always consumes the skb. The error path calls nlmsg_free(rsp) so we can't jump directly to it. Let's not unbind, just propagate the error to the user. This is the typical way of handling genlmsg_reply() failures. They shouldn't happen unless user does something silly like calling the kernel with an already-full rcvbuf.

