CVE-2026-23331
Description
In the Linux kernel, the following vulnerability has been resolved:
udp: Unhash auto-bound connected sk from 4-tuple hash table when disconnected.
Let's say we bind() an UDP socket to the wildcard address with a non-zero port, connect() it to an address, and disconnect it from the address.
bind() sets SOCK_BINDPORT_LOCK on sk->sk_userlocks (but not SOCK_BINDADDR_LOCK), and connect() calls udp_lib_hash4() to put the socket into the 4-tuple hash table.
Then, __udp_disconnect() calls sk->sk_prot->rehash(sk).
It computes a new hash based on the wildcard address and moves the socket to a new slot in the 4-tuple hash table, leaving a garbage in the chain that no packet hits.
Let's remove such a socket from 4-tuple hash table when disconnected.
Note that udp_sk(sk)->udp_portaddr_hash needs to be udpated after udp_hash4_dec(hslot2) in udp_unhash4().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A Linux kernel bug in the Linux kernel's UDP socket handling leaves disconnected, auto-bound sockets in the 4-tuple hash table, potentially causing minor corruption.
Vulnerability
Description
A flaw exists in the Linux kernel's UDP socket implementation. When a socket is bound to the wildcard address with a specific port, connected to a remote address (which adds it to the 4-tuple hash table), and then disconnected, the kernel fails to properly remove the socket from that hash table. This leaves a stale entry that no packet will match, resulting in a minor form of state corruption within the kernel's networking subsystem.
Attack
Vector and Prerequisites
An attacker must be able to interact with the system in a way that triggers a sequence of bind(), connect(), and disconnect() calls on a UDP socket with specific flags. No special privileges are needed beyond the ability to create and manipulate UDP sockets, making this accessible to unprivileged users or containerized processes. The attack surface is local; exploitation does not require network access.
Impact
If exploited, the stale hash table entry could cause packets with certain 4-tuples to be misdirected or not delivered to the intended socket. In practice, the impact is limited to potential packet loss or delivery to the wrong socket, which could be used to disrupt UDP-based services or leak information between sockets on the same host. The CVSS score of 5.5 reflects a medium severity, indicating a limited but real risk of denial of service or information exposure.
Mitigation
Patches have been issued and are included in the mainline Linux kernel repository. Users should update their kernel to a version containing the fix, which is identified by commits referenced in the changelog [1][2][3]. No workarounds are available beyond applying the patch; using older, unpatched kernels leaves the system exposed.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
10cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 8 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=6.13.1,<6.18.17
- cpe:2.3:o:linux:linux_kernel:6.13:-:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.