{"id":81007,"date":"2026-06-24T12:30:12","date_gmt":"2026-06-24T09:00:12","guid":{"rendered":"https:\/\/afaghhosting.net\/blog\/cve-2026-52943-net-skbuff-fix-missing-zerocopy-reference-in-pskb_carve-helpers\/"},"modified":"2026-06-24T12:30:12","modified_gmt":"2026-06-24T09:00:12","slug":"cve-2026-52943-net-skbuff-fix-missing-zerocopy-reference-in-pskb_carve-helpers","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cve-2026-52943-net-skbuff-fix-missing-zerocopy-reference-in-pskb_carve-helpers\/","title":{"rendered":"CVE-2026-52943 &#8211; net: skbuff: fix missing zerocopy reference in pskb_carve helpers"},"content":{"rendered":"<p>CVE ID :CVE-2026-52943<\/p>\n<p>  Published : June 24, 2026, 9 a.m. | 2\u00a0hours, 44\u00a0minutes ago<\/p>\n<p>  Description :In the Linux kernel, the following vulnerability has been resolved:<\/p>\n<p>net: skbuff: fix missing zerocopy reference in pskb_carve helpers<\/p>\n<p>pskb_carve_inside_header() and pskb_carve_inside_nonlinear() both copy<br \/>\nthe old skb_shared_info header into a new buffer via memcpy(), which<br \/>\nincludes the destructor_arg pointer (uarg) for MSG_ZEROCOPY skbs.<br \/>\nNeither function calls net_zcopy_get() for the new shinfo, creating an<br \/>\nunaccounted holder: every skb_shared_info with destructor_arg set will<br \/>\ncall skb_zcopy_clear() once when freed, but the corresponding<br \/>\nnet_zcopy_get() was never called for the new copy. Repeated calls<br \/>\ndrive uarg-&gt;refcnt to zero prematurely, freeing ubuf_info_msgzc while<br \/>\nTX skbs still hold live destructor_arg pointers.<\/p>\n<p>KASAN reports use-after-free on a freed ubuf_info_msgzc:<\/p>\n<p>  BUG: KASAN: slab-use-after-free in skb_release_data+0x77b\/0x810<br \/>\n  Read of size 8 at addr ffff88801574d3e8 by task poc\/220<\/p>\n<p>  Call Trace:<br \/>\n   skb_release_data+0x77b\/0x810<br \/>\n   kfree_skb_list_reason+0x13e\/0x610<br \/>\n   skb_release_data+0x4cd\/0x810<br \/>\n   sk_skb_reason_drop+0xf3\/0x340<br \/>\n   skb_queue_purge_reason+0x282\/0x440<br \/>\n   rds_tcp_inc_free+0x1e\/0x30<br \/>\n   rds_recvmsg+0x354\/0x1780<br \/>\n   __sys_recvmsg+0xdf\/0x180<\/p>\n<p>  Allocated by task 219:<br \/>\n   msg_zerocopy_realloc+0x157\/0x7b0<br \/>\n   tcp_sendmsg_locked+0x2892\/0x3ba0<\/p>\n<p>  Freed by task 219:<br \/>\n   ip_recv_error+0x74a\/0xb10<br \/>\n   tcp_recvmsg+0x475\/0x530<\/p>\n<p>The skb consuming the late access still referenced the same uarg via<br \/>\nshinfo-&gt;destructor_arg copied by pskb_carve_inside_nonlinear() without<br \/>\na refcount bump. This has been verified to be reliably exploitable: a<br \/>\nworking proof-of-concept achieves full root privilege escalation from<br \/>\nan unprivileged local user on a default kernel configuration.<\/p>\n<p>The fix follows the pattern of pskb_expand_head() which has the same<br \/>\nmemcpy\/cloned structure. For pskb_carve_inside_header(), net_zcopy_get()<br \/>\nis placed after skb_orphan_frags() succeeds, so the orphan error path<br \/>\nneeds no cleanup. For pskb_carve_inside_nonlinear(), net_zcopy_get() is<br \/>\nplaced after all failure points and just before skb_release_data(), so<br \/>\nno error path needs cleanup at all &#8212; matching pskb_expand_head() more<br \/>\nclosely and avoiding the need for a balancing net_zcopy_put().<\/p>\n<p>  Severity: 0.0 | NA<\/p>\n<p>  Visit the link for more details, such as CVSS details, affected products, timeline, and more&#8230;\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>CVE ID :CVE-2026-52943 Published : June 24, 2026, 9 a.m. | 2\u00a0hours, 44\u00a0minutes ago Description :In the Linux kernel, the following vulnerability has been resolved: net: skbuff: fix missing zerocopy reference in pskb_carve helpers pskb_carve_inside_header() and pskb_carve_inside_nonlinear() both copy the old skb_shared_info header into a new buffer via memcpy(), which includes the destructor_arg pointer (uarg) &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-81007","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/81007","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=81007"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/81007\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=81007"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=81007"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=81007"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}