How is CVE-2026-52993 exploited?

Network reachability (required): The attacker must reach the TIPC service over the network; no local access or physical presence is needed. Authentication (not-required): No credentials or session token of any kind are required; the exploit is available to any remote sender. Victim interaction (not-required): No user on the target system needs to open a file, click a link, or take any other action for exploitation to succeed. Attack complexity (info): Attack complexity is low; the exploit is reliable and requires no special timing, race conditions, or knowledge of memory layout beyond sending crafted TIPC packets.

What is the impact of CVE-2026-52993?

A successful attacker can read arbitrary kernel memory, exposing cryptographic keys, session tokens, and other sensitive data held in kernel space. The attacker can write to arbitrary kernel memory, allowing modification of security-critical kernel structures or persisted data paths. Exploiting the double-free can crash the affected host entirely, causing a full denial of service for all workloads running on that node. Kernel memory corruption from the double-free creates a practical path to full privilege escalation and arbitrary code execution at the kernel level.

Back to search

CRITICALCVE-2026-52993Published 2026-06-24Modified 2026-06-28CNA Linux

CVE-2026-52993: tipc: fix double-free in tipc_buf_append()

In the Linux kernel, the following vulnerability has been resolved: tipc: fix double-free in tipc_buf_append() tipc_msg_validate() can potentially reallocate the skb it is validating, freeing the old one. In tipc_buf_append(), it was being called with a pointer to a local variable which was a copy of the caller's skb pointer. If the skb was reallocated and validation subsequently failed, the error handling path would free the original skb pointer, which had already been freed, leading to double-free. Fix this by checking if head now points to a newly allocated reassembled skb. If it does, reassign *headbuf for later freeing operations.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: 0
Affected Products: 2

HarborGuard Analysis

Synopsis

A double-free vulnerability exists in the Linux kernel's TIPC (Transparent Inter-Process Communication) networking subsystem, specifically in the tipc_buf_append() function. The flaw is reachable over the network without any authentication or user interaction, because a remote attacker can send crafted TIPC packets that trigger a skb (socket buffer) reallocation and a subsequent invalid free of an already-freed pointer. Successful exploitation gives the attacker full read, write, and crash capabilities against the affected host. A patched-image rebuild is available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection of CVE-2026-52993 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle an affected Linux kernel version. Images scanned in CI pipelines or pushed to connected registries are covered with the same matching capability.

Available

Triage

HarborGuard scores this CVE at 9.8 CRITICAL (CVSS v3.1) and surfaces it accordingly in each customer's triage queue, weighted against that environment's active compliance policy. Routing rules direct the finding to the team or inbox configured for critical-severity kernel issues within each customer organization.

Available

Patch

A patched-image rebuild pinned to one of the upstream fix commits is available on HarborGuard for any image found to carry an affected kernel version. For customers who opt into auto-remediation, HarborGuard runs a rebuild, executes a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the TIPC service over the network; no local access or physical presence is needed.
AuthenticationNot required
No credentials or session token of any kind are required; the exploit is available to any remote sender.
Victim interactionNot required
No user on the target system needs to open a file, click a link, or take any other action for exploitation to succeed.
Attack complexityDetail
Attack complexity is low; the exploit is reliable and requires no special timing, race conditions, or knowledge of memory layout beyond sending crafted TIPC packets.

Blast Radius

A successful attacker can read arbitrary kernel memory, exposing cryptographic keys, session tokens, and other sensitive data held in kernel space.
The attacker can write to arbitrary kernel memory, allowing modification of security-critical kernel structures or persisted data paths.
Exploiting the double-free can crash the affected host entirely, causing a full denial of service for all workloads running on that node.
Kernel memory corruption from the double-free creates a practical path to full privilege escalation and arbitrary code execution at the kernel level.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-52993 is active the moment the CVE enters upstream feeds, with matching applied to every image in connected registries and CI pipelines, including custom kernel-bundling images. For environments running an affected kernel version, a patched-image rebuild against the upstream fix commits is available immediately. Customers with auto-remediation enabled receive a rebuilt image, a regression-test run, and a pull request opened against affected workloads; for high and critical-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in those environments. Where compliance policy requires manual approval, the finding is queued at critical priority with full CVSS detail and affected-layer context so reviewers can act quickly. Given the network-exposed, no-auth nature of this vulnerability, customers who cannot immediately apply the kernel patch should consider restricting TIPC port exposure via Kubernetes network policies or host-level firewall rules as a compensating control while the rebuild is reviewed.

See how HarborGuard automates this

Fix available

00274f24485fc38032d4093e463dc3ff5c7a667c91d5e589055880fae229e229e1929e087dbe08cf329940fff14110ca48c5ccc168d121665b51bb7784d104882bc815d4ec666ace9155f5f52715879a64ee4deadaae7cb2e3d53af0fc889cf92a73413c05.10.2585.15.2096.1.1756.6.1416.12.916.18.337.0.107.1a438975a6dcdbd70865978c021650d1485586f0bd293ca716e7d5dffdaecaf6b9b2f857a33dc3d3ad3556656c6daebf8def751c7e71d11dd0a180d24

Affected packages

Linux / Linux
< a438975a6dcdbd70865978c021650d1485586f0b (from d618d09a68e4eed7a435beb2e355250f6f40664a) · < 4ee4deadaae7cb2e3d53af0fc889cf92a73413c0 (from d618d09a68e4eed7a435beb2e355250f6f40664a) · < d3556656c6daebf8def751c7e71d11dd0a180d24 (from d618d09a68e4eed7a435beb2e355250f6f40664a) · < 0274f24485fc38032d4093e463dc3ff5c7a667c9 (from d618d09a68e4eed7a435beb2e355250f6f40664a) · < 4d104882bc815d4ec666ace9155f5f52715879a6 (from d618d09a68e4eed7a435beb2e355250f6f40664a) · < 1d5e589055880fae229e229e1929e087dbe08cf3 (from d618d09a68e4eed7a435beb2e355250f6f40664a)
Linux / Linux
4.15
Fixed in 0, 5.10.258, 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, 7.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available