CVE-2026-53223

In the Linux kernel, the following vulnerability has been resolved:

net: guard timestamp cmsgs to real error queue skbs

skb is err queue() treats PACKET OUTGOING as the sole marker for an skb from sk error queue. That assumption is not true for AF PACKET sockets: outgoing packet taps are also delivered to packet sockets with skb->pkt type == PACKET OUTGOING, but their skb->cb is owned by AF PACKET instead of struct sock exterr skb.

If such an skb is received with timestamping enabled, the generic timestamp cmsg path can read AF PACKET control-buffer state as sock exterr skb::opt stats. With SO RXQ OVFL enabled, the packet drop counter overlaps opt stats. An odd drop count makes the path emit SCM TIMESTAMPING OPT STATS with skb->len and skb->data. For non-linear skbs this copies past the linear head and can trigger hardened usercopy or disclose adjacent heap contents.

Keep skb is err queue() local to net/socket.c, but make it verify that the PACKET OUTGOING marker is paired with the sock rmem free destructor installed by sock queue err skb(). AF PACKET receive skbs use normal receive ownership and no longer pass as error-queue skbs, while legitimate sk error queue entries keep the PACKET OUTGOING marker and sock rmem free ownership.