CVE-2026-53250

In the Linux kernel, the following vulnerability has been resolved:

xsk: cache csum start/csum offset to fix TOCTOU in xsk skb metadata()

The TX metadata area resides in the UMEM buffer which is memory-mapped and concurrently writable by userspace. In xsk skb metadata(), csum start and csum offset are read from shared memory for bounds validation, then read again for skb assignment. A malicious userspace application can race to overwrite these values between the two reads, bypassing the bounds check and causing out-of-bounds memory access during checksum computation in the transmit path.

Fix this by reading csum start and csum offset into local variables once, then using the local copies for both validation and assignment.

Note that other metadata fields (flags, launch time) and the cached csum fields may be mutually inconsistent due to concurrent userspace writes, but this is benign: the only security-critical invariant is that each field's validated value is the same one used, which local caching guarantees.