{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23048", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.949Z", "datePublished": "2026-02-04T16:00:30.232Z", "dateUpdated": "2026-05-11T21:58:59.709Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:58:59.709Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp: call skb_orphan() before skb_attempt_defer_free()\n\nStandard UDP receive path does not use skb->destructor.\n\nBut skmsg layer does use it, since it calls skb_set_owner_sk_safe()\nfrom udp_read_skb().\n\nThis then triggers this warning in skb_attempt_defer_free():\n\n DEBUG_NET_WARN_ON_ONCE(skb->destructor);\n\nWe must call skb_orphan() to fix this issue."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ipv4/udp.c"], "versions": [{"version": "6471658dc66c670580a7616e75f51b52917e7883", "lessThan": "0c63d5683eae6a7b4d81382bcbecb2a19feff90d", "status": "affected", "versionType": "git"}, {"version": "6471658dc66c670580a7616e75f51b52917e7883", "lessThan": "e5c8eda39a9fc1547d1398d707aa06c1d080abdd", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ipv4/udp.c"], "versions": [{"version": "6.18", "status": "affected"}, {"version": "0", "lessThan": "6.18", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.6", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18", "versionEndExcluding": "6.18.6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/0c63d5683eae6a7b4d81382bcbecb2a19feff90d"}, {"url": "https://git.kernel.org/stable/c/e5c8eda39a9fc1547d1398d707aa06c1d080abdd"}], "title": "udp: call skb_orphan() before skb_attempt_defer_free()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp: call skb_orphan() before skb_attempt_defer_free()\n\nStandard UDP receive path does not use skb->destructor.\n\nBut skmsg layer does use it, since it calls skb_set_owner_sk_safe()\nfrom udp_read_skb().\n\nThis then triggers this warning in skb_attempt_defer_free():\n\n DEBUG_NET_WARN_ON_ONCE(skb->destructor);\n\nWe must call skb_orphan() to fix this issue."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nudp: llamar a skb_orphan() antes de skb_attempt_defer_free()\n\nLa ruta de recepci\u00f3n UDP est\u00e1ndar no utiliza skb->destructor.\n\nPero la capa skmsg s\u00ed lo utiliza, ya que llama a skb_set_owner_sk_safe() desde udp_read_skb().\n\nEsto entonces activa esta advertencia en skb_attempt_defer_free():\n\nDEBUG_NET_WARN_ON_ONCE(skb->destructor);\n\nDebemos llamar a skb_orphan() para solucionar este problema."}], "id": "CVE-2026-23048", "lastModified": "2026-04-15T00:35:42.020", "metrics": {}, "published": "2026-02-04T16:16:20.343", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0c63d5683eae6a7b4d81382bcbecb2a19feff90d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e5c8eda39a9fc1547d1398d707aa06c1d080abdd"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Deferred"}

{"bugzilla": {"description": "kernel: udp: call skb_orphan() before skb_attempt_defer_free()", "id": "2436776", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2436776"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2026-23048", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Under investigation", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23048\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23048\nhttps://lore.kernel.org/linux-cve-announce/2026020441-CVE-2026-23048-f1cc@gregkh/T"], "threat_severity": "Important"}

{"analysis": {"en": {"generated_at": "2026-04-18T19:46:15.703307+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to a release that includes the CVE-2026-23048 fix", "Reboot the system to load the updated kernel", "If immediate patching is not feasible, limit or filter UDP traffic to non\u2011essential ports to reduce exposure"], "summary": {"action": "Apply patch", "impact": "Kernel memory corruption that could lead to privilege escalation or system crash"}, "threat_synthesis": {"affected_systems": "The vulnerability is present in the Linux kernel itself. Vendors and product families include Linux: Linux kernel, covering all compiled kernel images built from the mainline source. No explicit build or version range is specified, so any kernel that has not applied the upstream patch may be susceptible until updated.", "description_and_impact": "The flaw arises from a mismatch in the handling of socket buffers during UDP packet reception. The path does not invoke the skb->destructor field, while the skmsg layer does, leading to a defensive warning in skb_attempt_defer_free(). This discrepancy can result in a double free or use\u2011after\u2011free condition, classified as CWE\u2011416, and may corrupt kernel memory. If exploited, an attacker could potentially gain elevated privileges or crash the operating system.", "risk_and_exploitability": "The CVSS score of 7.0 indicates a high severity vulnerability, yet the EPSS score of less than 1% suggests that exploitation in the wild is currently very unlikely. The flaw is not listed in the CISA KEV catalog, further supporting the low deployment risk. The most probable attack vector is remote, using crafted UDP packets that reach processes handling network traffic. Exploitation would likely require precise timing and could demand that the attacker has network connectivity to the target system or access to services that observe UDP traffic. Even so, a successful exploit would result in kernel memory corruption, potentially allowing privilege escalation or denial of service."}}}}, "created": "2026-04-18T20:00:09.265683+00:00", "updated": "2026-04-18T20:00:09.265695+00:00", "vendors": [], "weaknesses": ["CWE-416"]}