{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-53366","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-06-09T07:44:35.400Z","datePublished":"2026-07-16T05:13:40.893Z","dateUpdated":"2026-07-16T05:13:40.893Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-07-16T05:13:40.893Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: account for fraggap on the paged allocation path\n\nIn __ip_append_data(), when the paged-allocation branch is taken,\nalloclen and pagedlen are computed as\n\n\talloclen = fragheaderlen + transhdrlen;\n\tpagedlen = datalen - transhdrlen;\n\ndatalen already includes fraggap, but the fraggap bytes carried over\nfrom the previous skb are copied into the new skb's linear area at\noffset transhdrlen by the subsequent skb_copy_and_csum_bits(). The\nlinear area is therefore undersized by fraggap bytes while pagedlen is\noverstated by the same amount.\n\nThe non-paged branch sets alloclen to fraglen, which already accounts\nfor fraggap because datalen does. Bring the paged branch in line by\nadding fraggap to alloclen and subtracting it from pagedlen.\n\nAfter this adjustment, copy no longer collapses to -fraggap on the\npaged path, so remove the stale comment describing that old arithmetic."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/ipv4/ip_output.c"],"versions":[{"version":"8eb77cc73977d88787b37c92831b1c242e035396","lessThan":"ce494707a9c07f27c219ca67f3e138061f53d9b3","status":"affected","versionType":"git"},{"version":"8eb77cc73977d88787b37c92831b1c242e035396","lessThan":"a9c24eda24bd15f432e37824e6fc440977cb241c","status":"affected","versionType":"git"},{"version":"8eb77cc73977d88787b37c92831b1c242e035396","lessThan":"77798d7be6ef71e72fb6fc8a2901bf74ebc9706f","status":"affected","versionType":"git"},{"version":"8eb77cc73977d88787b37c92831b1c242e035396","lessThan":"c04d9ece23deb9e26c19f9ca215e98b3295aa1bb","status":"affected","versionType":"git"},{"version":"8eb77cc73977d88787b37c92831b1c242e035396","lessThan":"eca856950f7cb1a221e02b99d758409f2c5cec42","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/ipv4/ip_output.c"],"versions":[{"version":"6.0","status":"affected"},{"version":"0","lessThan":"6.0","status":"unaffected","versionType":"semver"},{"version":"6.6.144","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.95","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.38","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"7.1.3","lessThanOrEqual":"7.1.*","status":"unaffected","versionType":"semver"},{"version":"7.2-rc1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0","versionEndExcluding":"6.6.144"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0","versionEndExcluding":"6.12.95"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0","versionEndExcluding":"6.18.38"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0","versionEndExcluding":"7.1.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0","versionEndExcluding":"7.2-rc1"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/ce494707a9c07f27c219ca67f3e138061f53d9b3"},{"url":"https://git.kernel.org/stable/c/a9c24eda24bd15f432e37824e6fc440977cb241c"},{"url":"https://git.kernel.org/stable/c/77798d7be6ef71e72fb6fc8a2901bf74ebc9706f"},{"url":"https://git.kernel.org/stable/c/c04d9ece23deb9e26c19f9ca215e98b3295aa1bb"},{"url":"https://git.kernel.org/stable/c/eca856950f7cb1a221e02b99d758409f2c5cec42"}],"title":"ipv4: account for fraggap on the paged allocation path","x_generator":{"engine":"bippy-1.2.0"}}}}