CVE-2026-52946: Add CVSS 3.1 score (7.5 HIGH)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AV:N -A remote TCP peer can reach
tcp_check_urg()->sk_send_sigurg()->send_sigurg() by sending TCP
packets with the URG flag to a service whose socket owner is
configured as a process group. The fix explicitly identifies TCP
URG packet reception as a potential remote denial-of-service vector.
AC:L -The vulnerable condition is a lock-order deadlock, but an
attacker can repeatedly send URG packets and, in a plausible
forking/waiting network service, induce connection churn that
exercises the other tasklist_lock paths. There is no memory-layout
dependency or other hard-to-satisfy condition.
PR:N -The network attacker does not need local privileges or
authentication to send TCP URG traffic to an exposed service. The
fcntl process-group ownership is target service state, not an
attacker privilege requirement.
UI:N -Exploitation does not require a user to open a file or
perform an interactive action. Once the service is reachable and
configured, packets alone can trigger the vulnerable path.
S:U -The impact is within the Linux kernel and the same host
security authority. It does not cross a VM, sandbox, or hardware
isolation boundary.
C:N -The bug is a lock ordering deadlock, not a memory disclosure
or use-after-free. The fixed traversal is RCU-safe and does not
imply an attacker read primitive.
I:N -The vulnerability does not corrupt memory or provide a
write/control-flow primitive. It only causes unsafe lock
acquisition ordering during signal delivery.
A:H -The deadlock can hang kernel execution in
softirq/tasklist_lock paths and deny service to the affected
system. A kernel deadlock is a high availability impact.
Signed-off-by: Sasha Levin <sashal@kernel.org>
1 file changed