Login Sign Up

CVE-2026-22977

5.5 MEDIUM
Denial of Service

📋 TL;DR

This CVE describes a kernel panic vulnerability in the Linux kernel's networking subsystem when CONFIG_HARDENED_USERCOPY is enabled. The vulnerability occurs when cloned socket buffers from skbuff_fclone_cache are used in error queues, triggering a usercopy hardening violation that crashes the system. This affects Linux systems with hardened usercopy enabled.

💻 Affected Systems

Products:
  • Linux kernel
Versions: Specific affected versions not explicitly stated, but references indicate fixes in stable kernel trees.
Operating Systems: Linux distributions using affected kernel versions
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when CONFIG_HARDENED_USERCOPY is enabled in kernel configuration. Many distributions enable this hardening feature by default.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash and denial of service, potentially disrupting critical network services.

🟠

Likely Case

System crash when specific network operations involving error queue handling are performed with hardened usercopy enabled.

🟢

If Mitigated

No impact if CONFIG_HARDENED_USERCOPY is disabled or the system is patched.

🌐 Internet-Facing: MEDIUM - Network-facing services could be crashed by malicious packets triggering the error queue path.
🏢 Internal Only: MEDIUM - Internal network operations could also trigger the crash condition.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The description includes crash logs from a proof-of-concept (poc_put_cmsg), suggesting exploit code exists. Exploitation requires triggering the specific error queue path.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Multiple stable kernel patches available (see references)

Vendor Advisory: https://git.kernel.org/stable/c/005671c60fcf1dbdb8bddf12a62568fd5e4ec391

Restart Required: Yes

Instructions:

1. Apply the kernel patch from upstream stable trees 2. Recompile kernel if using custom build 3. Reboot system to load patched kernel

🔧 Temporary Workarounds

Disable HARDENED_USERCOPY

linux

Disable the hardened usercopy feature in kernel configuration to avoid the crash, though this reduces security hardening.

Rebuild kernel with CONFIG_HARDENED_USERCOPY=n

🧯 If You Can't Patch

  • Monitor for kernel panic logs related to usercopy violations
  • Consider network filtering to block packets that might trigger error queue handling

🔍 How to Verify

Check if Vulnerable:

Check kernel config for CONFIG_HARDENED_USERCOPY=y and kernel version against patched versions

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version includes the fix commit and test error queue functionality

📡 Detection & Monitoring

Log Indicators:

  • Kernel panic messages with 'usercopy: Kernel memory exposure attempt detected from SLUB object 'skbuff_fclone_cache'
  • BUG at mm/usercopy.c

Network Indicators:

  • Unusual network patterns triggering socket error queues

SIEM Query:

kernel_panic AND (usercopy OR skbuff_fclone_cache)

📊 Metadata

CVE ID: CVE-2026-22977
CVSS v3 Score: 5.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-476
EPSS Score: 0.03% exploit probability (8.9th percentile)
Published: January 21, 2026
Last Updated: February 26, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-22977, you might also want to check these:

CVE-2022-36648 10.0

This CVE describes a vulnerability in QEMU's hardware emulation where a malformed program executed i...

Same vulnerability type (CWE-476)
CVE-2022-30592 9.8

This vulnerability in LiteSpeed QUIC (LSQUIC) before version 3.1.0 involves improper handling of MAX...

Same vulnerability type (CWE-476)
CVE-2023-47003 9.8

A NULL pointer dereference vulnerability in RedisGraph allows attackers to execute arbitrary code or...

Same vulnerability type (CWE-476)