CVE-2026-23302

Vulnerability

Description

CVE-2026-23302 addresses a concurrency issue in the Linux kernel's networking subsystem. The sk_data_ready and sk_write_space pointers in the socket structure (struct sock) are modified by skmsg and other layers, yet they are read concurrently by other CPUs. Without proper READ_ONCE() and WRITE_ONCE() annotations, these accesses constitute data races per the C memory model, which can lead to torn reads or compiler-optimized re-reads, resulting in stale or inconsistent pointer values.

Exploitation

Scenario

An attacker with the ability to trigger concurrent socket operations (e.g., via crafted network traffic or local exploitation of BPF/skmsg) could potentially exploit these races. When a reader CPU sees an intermediate or stale value of sk_data_ready or sk_write_space, the kernel might invoke the wrong callback, skip notification, or double-invoke it. This exploitable window exists across UDP, TCP, and AF_UNIX sockets, as all three modify and inspect these pointers without atomicity guarantees.

Impact

Successful exploitation could cause denial of service (e.g., a socket failing to wake up when data arrives, or waking up spuriously), memory corruption if callbacks are misdirected, or information disclosure if notification is improperly delayed. In theory, an attacker controlling the value of a callback pointer could redirect execution, though practical exploitation would require additional primitive chaining.

Mitigation

Status

The fix was committed to the Linux kernel stable repository; the referenced commits [1][2][3][4] add the required READ_ONCE()/WRITE_ONCE() annotations. Users should update to a kernel version containing these commits. No workaround is available beyond patching, as this is a semantic correctness fix. The vulnerability is not yet listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.