Home

Description

In the Linux kernel, the following vulnerability has been resolved: tipc: fix double-free in tipc_buf_append() tipc_msg_validate() can potentially reallocate the skb it is validating, freeing the old one. In tipc_buf_append(), it was being called with a pointer to a local variable which was a copy of the caller's skb pointer. If the skb was reallocated and validation subsequently failed, the error handling path would free the original skb pointer, which had already been freed, leading to double-free. Fix this by checking if head now points to a newly allocated reassembled skb. If it does, reassign *headbuf for later freeing operations.

PUBLISHED Reserved 2026-06-09 | Published 2026-06-24 | Updated 2026-06-24 | Assigner Linux

Product status

Default status
unaffected

d618d09a68e4eed7a435beb2e355250f6f40664a (git) before a438975a6dcdbd70865978c021650d1485586f0b
affected

d618d09a68e4eed7a435beb2e355250f6f40664a (git) before 4ee4deadaae7cb2e3d53af0fc889cf92a73413c0
affected

d618d09a68e4eed7a435beb2e355250f6f40664a (git) before d3556656c6daebf8def751c7e71d11dd0a180d24
affected

d618d09a68e4eed7a435beb2e355250f6f40664a (git) before 0274f24485fc38032d4093e463dc3ff5c7a667c9
affected

d618d09a68e4eed7a435beb2e355250f6f40664a (git) before 4d104882bc815d4ec666ace9155f5f52715879a6
affected

d618d09a68e4eed7a435beb2e355250f6f40664a (git) before 1d5e589055880fae229e229e1929e087dbe08cf3
affected

d618d09a68e4eed7a435beb2e355250f6f40664a (git) before 29940fff14110ca48c5ccc168d121665b51bb778
affected

d618d09a68e4eed7a435beb2e355250f6f40664a (git) before d293ca716e7d5dffdaecaf6b9b2f857a33dc3d3a
affected

Default status
affected

4.15
affected

Any version before 4.15
unaffected

5.10.258 (semver)
unaffected

5.15.209 (semver)
unaffected

6.1.175 (semver)
unaffected

6.6.141 (semver)
unaffected

6.12.91 (semver)
unaffected

6.18.33 (semver)
unaffected

7.0.10 (semver)
unaffected

7.1 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/a438975a6dcdbd70865978c021650d1485586f0b

git.kernel.org/...c/4ee4deadaae7cb2e3d53af0fc889cf92a73413c0

git.kernel.org/...c/d3556656c6daebf8def751c7e71d11dd0a180d24

git.kernel.org/...c/0274f24485fc38032d4093e463dc3ff5c7a667c9

git.kernel.org/...c/4d104882bc815d4ec666ace9155f5f52715879a6

git.kernel.org/...c/1d5e589055880fae229e229e1929e087dbe08cf3

git.kernel.org/...c/29940fff14110ca48c5ccc168d121665b51bb778

git.kernel.org/...c/d293ca716e7d5dffdaecaf6b9b2f857a33dc3d3a

cve.org (CVE-2026-52993)

nvd.nist.gov (CVE-2026-52993)

Download JSON