CVE Catalog

CVE-2026-52935

HighCVSS 7.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.12%

2th percentile — higher than 2% of all known CVEs

Summary

In the Linux kernel's xfrm/espintcp module, a vulnerability allows reusing an in-progress partial send state (ctx->partial) before completion. The espintcp_sendmsg() function may overwrite the active send state, leading to an out-of-bounds memory read.

Risk Assessment

The organization risks data leakage or system crash due to out-of-bounds memory read during IPsec ESP-in-TCP traffic processing. This could enable a remote attacker to compromise confidentiality or availability.

Recommendation

Immediately update the Linux kernel to a version containing the fix (commit preventing reuse of ctx->partial). Monitor distribution security advisories and apply the patch as soon as available.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: xfrm: espintcp: do not reuse an in-progress partial send espintcp keeps a single in-flight transmit in ctx->partial. Before building a new sk_msg, espintcp_sendmsg() first tries to flush that state through espintcp_push_msgs(). For blocking callers, espintcp_push_msgs() may return success even when the previous partial send is still pending. espintcp_sendmsg() would then reinitialize emsg->skmsg and reuse ctx->partial while the old transfer still owns that state. Do not rebuild the send message when ctx->partial is still in progress. If espintcp_push_msgs() returns with emsg->len still set, fail the new send instead of overwriting the live partial state. This is a memory-safety fix: reusing the live partial-send state can leave a stale offset attached to a new sk_msg and lead to an out-of- bounds read in the send path. tcp_sendmsg_locked() already handles waiting for send buffer memory, so the fix here is just to preserve espintcp's one-message-at-a-time transmit state.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS