HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-53088Published Modified CNA Linux

CVE-2026-53088: net: bcmgenet: fix off-by-one in bcmgenet_put_txcb

In the Linux kernel, the following vulnerability has been resolved: net: bcmgenet: fix off-by-one in bcmgenet_put_txcb The write_ptr points to the next open tx_cb. We want to return the tx_cb that gets rewinded, so we must rewind the pointer first then return the tx_cb that it points to. That way the txcb can be correctly cleaned up.

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
0
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An off-by-one memory corruption bug exists in the Linux kernel's bcmgenet network driver, specifically in the bcmgenet_put_txcb function that manages transmit control buffers. The flaw is reachable over the network with no authentication required and no user interaction needed, as reflected in its CVSS 9.8 critical score. Successful exploitation gives an attacker full read, write, and availability impact on the affected system, enabling remote code execution or complete service disruption. Patched-image rebuilds at the fix commits are available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection of CVE-2026-53088 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle an affected Linux kernel version. Any image in a connected registry or CI pipeline that carries a vulnerable bcmgenet driver will surface in results automatically.

Available
Triage

HarborGuard scores this finding at CVSS 9.8 Critical (v3.1) and applies per-environment compliance policy weighting to prioritize it appropriately within each customer org. Routed alerts reach the team or inbox configured for critical-severity kernel findings, reducing time-to-acknowledgment without manual triage steps.

Available
Patch

A patched-image rebuild pinned to the upstream fix commits is available on HarborGuard for any image found running an affected kernel version. For customers who opt into auto-remediation, the platform rebuilds the image, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the target service over the network; no physical or local access is needed (AV:N).

  • AuthenticationNot required

    No credentials or account of any privilege level are required to attempt exploitation (PR:N).

  • Victim interactionNot required

    Exploitation is fully attacker-driven and does not require any action from a user or administrator on the target system (UI:N).

  • Attack complexityDetail

    The exploit is reliable and condition-free, requiring no race-condition timing or special environmental setup to succeed (AC:L).

Blast Radius

  • A successful attacker reads arbitrary kernel memory, exposing secrets, session material, and data from other processes on the host.
  • The attacker gains arbitrary write capability in kernel memory, enabling persistent modification of kernel data structures or loaded code.
  • The kernel can be crashed or rendered unresponsive, taking down all services and workloads running on the affected node.
  • Because the bug lives in a network driver, a network-adjacent attacker triggering the off-by-one can escalate toward full kernel control without any prior foothold on the host.

How HarborGuard Handles This

Available on HarborGuard: detection runs continuously against all registered images and pipelines, so any image carrying a kernel version prior to the fix commits is flagged within minutes of the CVE entering the feed. For customers who opt into auto-remediation, HarborGuard rebuilds the image at the patched commit, executes the configured regression suite, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual approval before a rebuild ships, the finding is queued at critical priority and routed to the designated reviewer. Customers who cannot immediately apply the patch should consider network-policy isolation of nodes running the bcmgenet driver and egress filtering to reduce the exploitable network surface while a rebuild is reviewed and promoted.

See how HarborGuard automates this

Fix available

014e9f86564fff7bcf7f45c1b69080e837b31d18529394f722f620281f2ee9a47f947734e53d72c902a74590170427a3ca7cc4bb8690cdd559129c29c3.174cab761fc51c65aef741fcece4a18f3554edbc095.10.2585.15.20957f3f53d2c9c5a9e133596e2f7bc1c50688a6d386.1.1756.6.1416.12.916.18.337.0.107.172df896e31ddd06fcc5a789f025ad7a62a18bc9b85f34ec320d3881badfd4edc5fee5cd5012bb54dfb9a3c1f547d0ff024dbfe7b6f327626ddf0a3de
Affected packages
  • Linux / Linux
    < 14e9f86564fff7bcf7f45c1b69080e837b31d185 (from 876dbadd53a7102e2a84afc84ea2bd3ee6dc5636) · < fb9a3c1f547d0ff024dbfe7b6f327626ddf0a3de (from 876dbadd53a7102e2a84afc84ea2bd3ee6dc5636) · < 85f34ec320d3881badfd4edc5fee5cd5012bb54d (from 876dbadd53a7102e2a84afc84ea2bd3ee6dc5636) · < 2a74590170427a3ca7cc4bb8690cdd559129c29c (from 876dbadd53a7102e2a84afc84ea2bd3ee6dc5636) · < 29394f722f620281f2ee9a47f947734e53d72c90 (from 876dbadd53a7102e2a84afc84ea2bd3ee6dc5636) · < 4cab761fc51c65aef741fcece4a18f3554edbc09 (from 876dbadd53a7102e2a84afc84ea2bd3ee6dc5636)
  • Linux / Linux
    4.13
    Fixed in 0, 5.10.258, 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, 7.1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References