CVE-2026-53151: rxrpc: Fix the ACK parser to extract the SACK table for parsing
In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix the ACK parser to extract the SACK table for parsing Fix modification of the received skbuff in rxrpc_input_soft_acks() and a potential incorrect access of the buffer in a fragmented UDP packet (the packet would probably have to be deliberately pre-generated as fragmented) when AF_RXRPC tries to extract the contents of the SACK table by copying out the contents of the SACK table into a buffer before attempting to parse AF_RXRPC assumes that it can just call skb_condense() and then validly access the SACK table from skb->data and that it will be a flat buffer - but skb_condense() can silently fail to do anything under some circumstances. Note that whilst rxrpc_input_soft_acks() should be able to parse extended ACKs, the rest of AF_RXRPC doesn't currently support that. Further, there's then no need to call skb_condense() in rxrpc_input_ack(), so don't.
Metrics
- CVSS v3.1
- 9.8
- Severity
- CRITICAL
- Fixed in
- 0
- Affected Products
- 2
HarborGuard Analysis
Synopsis
An out-of-bounds memory access vulnerability exists in the Linux kernel's AF_RXRPC subsystem, specifically in the ACK packet parser (rxrpc_input_soft_acks). The flaw is reachable over the network without any authentication or user interaction, triggered by a specially crafted fragmented UDP packet that causes the kernel to read from an invalid memory location when processing the SACK table. Successful exploitation gives an attacker full read, write, and crash capabilities against the affected host. A patched-image rebuild at fix version 6.18.36 (and the corresponding commit SHAs) is available on HarborGuard for environments running an affected kernel version.
HarborGuard Coverage
Detection of CVE-2026-53151 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer container images, including custom-built images that bundle their own kernel or kernel modules. Any image found to include an affected Linux kernel version is flagged automatically in the pipeline scan results.
AvailableHarborGuard scores this CVE at 9.8 (CVSS v3.1, Critical) and weights it against each customer environment's compliance policy to determine urgency and routing. Findings are delivered to the appropriate team inbox within the customer org based on configured ownership rules, so the right engineers see the alert without manual triage.
AvailableA patched-image rebuild pinned to Linux 6.18.36 or the upstream fix commits becomes available on HarborGuard for any environment running an affected kernel version. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for Critical-severity issues is around 90 minutes for environments with auto-remediation enabled.
AvailableExploit Conditions
- Network reachabilityRequired
The vulnerable code path is reached by sending a specially crafted fragmented UDP packet over the network to any host exposing an AF_RXRPC socket, so the attacker must be able to reach the service across the network.
- AuthenticationNot required
No credentials or account of any kind are needed; the malformed packet can be sent by an unauthenticated remote attacker.
- Victim interactionNot required
No user action is required; the kernel processes incoming packets automatically without any interaction from a logged-in user.
- Attack complexityDetail
Attack complexity is Low, meaning the exploit is reliable and requires no special race conditions, memory-layout knowledge, or environmental preconditions beyond network access.
Blast Radius
- An attacker can read arbitrary kernel memory, exposing secrets such as cryptographic keys, session tokens, and other in-memory data from any process on the host.
- An attacker can write to arbitrary kernel memory, modifying kernel data structures, escalating privileges, or planting malicious code in kernel space.
- An attacker can crash the kernel entirely, taking down all workloads running on the affected node and causing a full denial of service.
- Any container running on the same host shares the underlying kernel, so a successful exploit against the host kernel breaks the isolation boundary for all co-located containers regardless of their individual configurations.
How HarborGuard Handles This
Available on HarborGuard: detection runs automatically against every scanned image the moment the CVE is ingested, with no configuration required. For environments where images bundle the Linux kernel (such as VM-in-container or unikernel workflows) or where base images derive from an affected kernel version, HarborGuard surfaces the finding immediately in the pipeline dashboard and routes it according to the customer's compliance policy. Where compliance policy permits and auto-remediation is enabled, HarborGuard rebuilds the affected image at Linux 6.18.36 (or the applicable fix commit), runs regression tests, and opens a pull request against affected workloads, with a median time to merged PR of around 90 minutes for Critical-severity findings. For customers who have not enabled auto-remediation, the patched rebuild is still prepared and available for manual promotion. Given the network-exposed, no-auth nature of this vulnerability, network policy controls that restrict inbound UDP traffic to RxRPC ports can serve as a compensating control until the patched image is promoted.
Fix available
- Linux / Linux< 566c4c1244de50fbff1f89ff93c9d7b0fc256db4 (from d57a3a151660902091491ac2633134e1be92557f) · < 224298450be5c04d2a6ea1c2a94669d7ebf65d00 (from d57a3a151660902091491ac2633134e1be92557f) · < 333b6d5bb9f87827ac2639c737bf9613dbae7253 (from d57a3a151660902091491ac2633134e1be92557f)
- Linux / Linux6.2Fixed in 0, 6.18.36, 7.0.13, 7.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H