CVE-2026-53184

In the Linux kernel, the following vulnerability has been resolved:

udp: clear skb->dev before running a sockmap verdict

On the UDP receive path skb->dev is repurposed as dev scratch (the truesize/state cache set by udp set dev scratch()), through the union { struct net device *dev; unsigned long dev scratch; } in sk buff.

When a UDP socket is in a sockmap, sk data ready is sk psock verdict data ready(), which calls udp read skb() -> recv actor() (sk psock verdict recv) to run the attached SK SKB verdict program in softirq. If that program calls a socket-lookup helper (bpf sk lookup tcp/udp, bpf skc lookup tcp), bpf skc lookup() does:

if (skb->dev)
	caller net = dev net(skb->dev);

skb->dev still holds the dev scratch value (a non-NULL integer), so dev net() dereferences it as a struct net device * and the kernel takes a general protection fault on a non-canonical address in softirq:

Oops: general protection fault, probably for non-canonical address 0x1010000800004a0 CPU: 1 UID: 0 PID: 1406 Comm: syz.2.19 Not tainted 7.1.0-rc6 #1 PREEMPT(full) RIP: 0010:bpf skc lookup net/core/filter.c:7033 [inline] RIP: 0010:bpf sk lookup+0x45/0x160 net/core/filter.c:7047 Call Trace: bpf prog 4675cb904b7071f8+0x12e/0x14e bpf prog run pin on cpu+0xc6/0x1f0 sk psock verdict recv+0x1ba/0x350 udp read skb+0x31a/0x370 sk psock verdict data ready+0x2e3/0x600 udp enqueue schedule skb+0x4c8/0x650 udpv6 queue rcv one skb+0x3ec/0x740 udp6 unicast rcv skb+0x11d/0x140 ip6 protocol deliver rcu+0x61e/0x950 ip6 input finish+0xa9/0x150 NF HOOK+0x286/0x2f0 ip6 input+0x117/0x220 NF HOOK+0x286/0x2f0 netif receive skb+0x85/0x200 process backlog+0x374/0x9a0 napi poll+0x4f/0x1c0 net rx action+0x3b0/0x770 handle softirqs+0x15a/0x460 do softirq+0x57/0x80

The rmem charge that dev scratch accounted for is released by skb recv udp() on dequeue, just above, so the scratch is dead by the time recv actor() runs. Clear skb->dev so bpf skc lookup() falls back to sock net(skb->sk), which skb set owner sk safe() set just above.