Description
In the Linux kernel, the following vulnerability has been resolved: tipc: fix double-free in tipc_buf_append() tipc_msg_validate() can potentially reallocate the skb it is validating, freeing the old one. In tipc_buf_append(), it was being called with a pointer to a local variable which was a copy of the caller's skb pointer. If the skb was reallocated and validation subsequently failed, the error handling path would free the original skb pointer, which had already been freed, leading to double-free. Fix this by checking if head now points to a newly allocated reassembled skb. If it does, reassign *headbuf for later freeing operations.
References (11)
Core 11
Core References
Vendor Advisory
https://access.redhat.com/security/cve/CVE-2026-52993
Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2492437
Scores
CVSS v3
9.8
EPSS
0.0035
EPSS Percentile
27.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-763
Status
published
Products (25)
linux/Kernel
4.15.0 - 5.10.258linux
linux/Kernel
5.11.0 - 5.15.209linux
linux/Kernel
5.16.0 - 6.1.175linux
linux/Kernel
6.13.0 - 6.18.33linux
linux/Kernel
6.19.0 - 7.0.10linux
linux/Kernel
6.2.0 - 6.6.141linux
linux/Kernel
6.7.0 - 6.12.91linux
Linux/Linux
< 4.15
Linux/Linux
4.15
Linux/Linux
5.10.258 - 5.10.*
... and 15 more
Published
Jun 24, 2026
Tracked Since
Jun 24, 2026