{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23302", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.993Z", "datePublished": "2026-03-25T10:26:57.470Z", "dateUpdated": "2026-05-11T22:04:15.314Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:04:15.314Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: annotate data-races around sk->sk_{data_ready,write_space}\n\nskmsg (and probably other layers) are changing these pointers\nwhile other cpus might read them concurrently.\n\nAdd corresponding READ_ONCE()/WRITE_ONCE() annotations\nfor UDP, TCP and AF_UNIX."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/core/skmsg.c", "net/ipv4/tcp.c", "net/ipv4/tcp_bpf.c", "net/ipv4/tcp_input.c", "net/ipv4/tcp_minisocks.c", "net/ipv4/udp.c", "net/ipv4/udp_bpf.c", "net/unix/af_unix.c"], "versions": [{"version": "604326b41a6fb9b4a78b6179335decee0365cd8c", "lessThan": "7ad01905831c815520f1b0486336a03bb7420465", "status": "affected", "versionType": "git"}, {"version": "604326b41a6fb9b4a78b6179335decee0365cd8c", "lessThan": "c494448bb522bbbb63096540eb2319101a0480ab", "status": "affected", "versionType": "git"}, {"version": "604326b41a6fb9b4a78b6179335decee0365cd8c", "lessThan": "f17c1c4acbe2bd702abce73a847a04a196fab2c5", "status": "affected", "versionType": "git"}, {"version": "604326b41a6fb9b4a78b6179335decee0365cd8c", "lessThan": "27fccdbcbbfc4651b6f66756e6fa3f52e051ec23", "status": "affected", "versionType": "git"}, {"version": "604326b41a6fb9b4a78b6179335decee0365cd8c", "lessThan": "2ef2b20cf4e04ac8a6ba68493f8780776ff84300", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/core/skmsg.c", "net/ipv4/tcp.c", "net/ipv4/tcp_bpf.c", "net/ipv4/tcp_input.c", "net/ipv4/tcp_minisocks.c", "net/ipv4/udp.c", "net/ipv4/udp_bpf.c", "net/unix/af_unix.c"], "versions": [{"version": "4.20", "status": "affected"}, {"version": "0", "lessThan": "4.20", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.136", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.82", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "6.6.136"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "6.12.82"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/7ad01905831c815520f1b0486336a03bb7420465"}, {"url": "https://git.kernel.org/stable/c/c494448bb522bbbb63096540eb2319101a0480ab"}, {"url": "https://git.kernel.org/stable/c/f17c1c4acbe2bd702abce73a847a04a196fab2c5"}, {"url": "https://git.kernel.org/stable/c/27fccdbcbbfc4651b6f66756e6fa3f52e051ec23"}, {"url": "https://git.kernel.org/stable/c/2ef2b20cf4e04ac8a6ba68493f8780776ff84300"}], "title": "net: annotate data-races around sk->sk_{data_ready,write_space}", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: annotate data-races around sk->sk_{data_ready,write_space}\n\nskmsg (and probably other layers) are changing these pointers\nwhile other cpus might read them concurrently.\n\nAdd corresponding READ_ONCE()/WRITE_ONCE() annotations\nfor UDP, TCP and AF_UNIX."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnet: anotar condiciones de carrera de datos alrededor de sk->sk_{data_ready,write_space}\n\nskmsg (y probablemente otras capas) est\u00e1n cambiando estos punteros mientras otras CPUs podr\u00edan leerlos concurrentemente.\n\nA\u00f1adir las correspondientes anotaciones READ_ONCE()/WRITE_ONCE() para UDP, TCP y AF_UNIX."}], "id": "CVE-2026-23302", "lastModified": "2026-04-27T14:16:30.323", "metrics": {}, "published": "2026-03-25T11:16:25.923", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/27fccdbcbbfc4651b6f66756e6fa3f52e051ec23"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2ef2b20cf4e04ac8a6ba68493f8780776ff84300"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7ad01905831c815520f1b0486336a03bb7420465"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c494448bb522bbbb63096540eb2319101a0480ab"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f17c1c4acbe2bd702abce73a847a04a196fab2c5"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: net: annotate data-races around sk->sk_{data_ready,write_space}", "id": "2451200", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451200"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.3", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-366", "details": ["A flaw was found in the Linux kernel. This vulnerability involves data races within the networking subsystem, specifically related to how network socket pointers are handled concurrently by multiple central processing units (CPUs). Without proper synchronization, this concurrent access can lead to unpredictable system behavior."], "name": "CVE-2026-23302", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23302\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23302\nhttps://lore.kernel.org/linux-cve-announce/2026032527-CVE-2026-23302-e03d@gregkh/T"], "statement": "This is a theoretical data race in socket callback pointer handling (sk_data_ready, sk_write_space) for UDP, TCP, and AF_UNIX sockets. The fix adds READ_ONCE()/WRITE_ONCE() annotations to ensure proper memory ordering. While technically a data race, no practical security impact or crash has been demonstrated; this is primarily a correctness fix for concurrent access patterns.", "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[604326b41a6fb9b4a78b6179335decee0365cd8c,f17c1c4acbe2bd702abce73a847a04a196fab2c5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[604326b41a6fb9b4a78b6179335decee0365cd8c,27fccdbcbbfc4651b6f66756e6fa3f52e051ec23)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[604326b41a6fb9b4a78b6179335decee0365cd8c,2ef2b20cf4e04ac8a6ba68493f8780776ff84300)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "4.20"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,4.20)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.17,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.7,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc3,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-03-26T14:04:18.793329+00:00", "value": {"mitigation_remediation": ["Upgrade the kernel to a version that includes the data\u2011race fix in net/skmsg and related networking code."], "summary": {"action": "Apply Patch", "impact": "Potential Data Corruption"}, "threat_synthesis": {"affected_systems": "All Linux kernel installations that include the affected code paths \u2013 essentially any kernel that uses the networking drivers for UDP, TCP or UNIX domain sockets and has not applied the data\u2011race fix. No specific patch versions are listed, so all affected kernels should be upgraded to a version that includes the updated READ_ONCE/WRITE_ONCE annotations.", "description_and_impact": "The vulnerability is a race condition in the Linux kernel's networking stack that allows concurrent reads and writes of the socket state pointers sk->sk_data_ready and sk->sk_write_space. This can lead to undefined kernel behaviour, including packet loss, crashes, or malformed socket state. The description indicates that the fix introduces READ_ONCE/WRITE_ONCE annotations for UDP, TCP and AF_UNIX to prevent the race. The CVSS score of 3.3 reflects a low impact and damage potential limited to kernel stability rather than immediate data exfiltration or privilege escalation.", "risk_and_exploitability": "The CVSS rating of 3.3 and an EPSS score of less than 1\u202f% suggest that exploitation is unlikely in the wild. The vulnerability does not appear in the KEV catalog, and no public exploit has been disclosed. The likely attack vector is a local or privileged user manipulating network traffic to trigger concurrent access to the socket pointers, though the description does not confirm an active exploit path. Mitigation is therefore to apply the patch rather than relying on monitoring."}}}}, "created": "2026-03-25T21:15:28.426438+00:00", "updated": "2026-03-27T09:50:04.436266+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}