CVE-2026-52993
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk27th percentile — higher than 27% of all known CVEs
Summary
In the Linux kernel, a double-free vulnerability was found in the tipc_buf_append() function of the TIPC module. tipc_msg_validate() may reallocate the skb buffer, freeing the old one, and on validation failure the error path freed the already-freed original pointer.
Risk Assessment
Double-free memory corruption can lead to kernel structure damage, potentially allowing a local attacker to cause denial of service (DoS) or escalate privileges.
Recommendation
Immediately update the Linux kernel to a version containing the fix (commit 5a8f3e1b2c3d) or later, which prevents double-free by reassigning the headbuf pointer.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: tipc: fix double-free in tipc_buf_append() tipc_msg_validate() can potentially reallocate the skb it is validating, freeing the old one. In tipc_buf_append(), it was being called with a pointer to a local variable which was a copy of the caller's skb pointer. If the skb was reallocated and validation subsequently failed, the error handling path would free the original skb pointer, which had already been freed, leading to double-free. Fix this by checking if head now points to a newly allocated reassembled skb. If it does, reassign *headbuf for later freeing operations.

