CVE-2026-52946: Add CVSS 3.1 score (7.5 HIGH)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AV:N -A remote TCP peer can reach
    tcp_check_urg()->sk_send_sigurg()->send_sigurg() by sending TCP
    packets with the URG flag to a service whose socket owner is
    configured as a process group. The fix explicitly identifies TCP
    URG packet reception as a potential remote denial-of-service vector.
AC:L -The vulnerable condition is a lock-order deadlock, but an
    attacker can repeatedly send URG packets and, in a plausible
    forking/waiting network service, induce connection churn that
    exercises the other tasklist_lock paths. There is no memory-layout
    dependency or other hard-to-satisfy condition.
PR:N -The network attacker does not need local privileges or
    authentication to send TCP URG traffic to an exposed service. The
    fcntl process-group ownership is target service state, not an
    attacker privilege requirement.
UI:N -Exploitation does not require a user to open a file or
    perform an interactive action. Once the service is reachable and
    configured, packets alone can trigger the vulnerable path.
S:U -The impact is within the Linux kernel and the same host
    security authority. It does not cross a VM, sandbox, or hardware
    isolation boundary.
C:N -The bug is a lock ordering deadlock, not a memory disclosure
    or use-after-free. The fixed traversal is RCU-safe and does not
    imply an attacker read primitive.
I:N -The vulnerability does not corrupt memory or provide a
    write/control-flow primitive. It only causes unsafe lock
    acquisition ordering during signal delivery.
A:H -The deadlock can hang kernel execution in
    softirq/tasklist_lock paths and deny service to the affected
    system. A kernel deadlock is a high availability impact.

Signed-off-by: Sasha Levin <sashal@kernel.org>
1 file changed