U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Vulnerability Change Records for CVE-2026-52935

Change History

New CVE Received from kernel.org 6/24/2026 4:16:23 AM

Action Type Old Value New Value
Added Description

                  
                
              
In the Linux kernel, the following vulnerability has been resolved:

xfrm: espintcp: do not reuse an in-progress partial send

espintcp keeps a single in-flight transmit in ctx->partial.
Before building a new sk_msg, espintcp_sendmsg() first tries to flush
that state through espintcp_push_msgs().

For blocking callers, espintcp_push_msgs() may return success even when
the previous partial send is still pending. espintcp_sendmsg() would
then reinitialize emsg->skmsg and reuse ctx->partial while the old
transfer still owns that state.

Do not rebuild the send message when ctx->partial is still in progress.
If espintcp_push_msgs() returns with emsg->len still set, fail the new
send instead of overwriting the live partial state.

This is a memory-safety fix: reusing the live partial-send state can
leave a stale offset attached to a new sk_msg and lead to an out-of-
bounds read in the send path.

tcp_sendmsg_locked() already handles waiting for send buffer memory, so
the fix here is just to preserve espintcp's one-message-at-a-time
transmit state.
Added Reference

                  
                
              
https://git.kernel.org/stable/c/1777ceac4bea5e568a5ad44b7f9bb219c1db21b6
Added Reference

                  
                
              
https://git.kernel.org/stable/c/37487d55bf3300e3d2c1368da5c2bd3e3834ea4f
Added Reference

                  
                
              
https://git.kernel.org/stable/c/6564e9c7af7e1dc7bfe7f3093b728abe484d7630
Added Reference

                  
                
              
https://git.kernel.org/stable/c/8c6c691bf062dc0753a139a4ab8cb92a70fcf8f3
Added Reference

                  
                
              
https://git.kernel.org/stable/c/aa82a078f70f7ff88ba7d1017134e79d1ac140f2
Added Reference

                  
                
              
https://git.kernel.org/stable/c/ba21439302db9a82fe4edbed1e38a97271529421
Added Reference

                  
                
              
https://git.kernel.org/stable/c/c381039ade2e161ab08c0eda73c4f8b9a7115928
Added Reference

                  
                
              
https://git.kernel.org/stable/c/f9b38a8fbfa07f1deaf7ee1eb38fa8b21ea13990
Added Affected

                  
                
              
[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["net/xfrm/espintcp.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"e27cca96cd68fa2c6814c90f9a1cfd36bb68c593","lessThan":"6564e9c7af7e1dc7bfe7f3093b728abe484d7630","versionType":"git","status":"affected"},{"version":"e27cca96cd68fa2c6814c90f9a1cfd36bb68c593","lessThan":"1777ceac4bea5e568a5ad44b7f9bb219c1db21b6","versionType":"git","status":"affected"},{"version":"e27cca96cd68fa2c6814c90f9a1cfd36bb68c593","lessThan":"8c6c691bf062dc0753a139a4ab8cb92a70fcf8f3","versionType":"git","status":"affected"},{"version":"e27cca96cd68fa2c6814c90f9a1cfd36bb68c593","lessThan":"aa82a078f70f7ff88ba7d1017134e79d1ac140f2","versionType":"git","status":"affected"},{"version":"e27cca96cd68fa2c6814c90f9a1cfd36bb68c593","lessThan":"ba21439302db9a82fe4edbed1e38a97271529421","versionType":"git","status":"affected"},{"version":"e27cca96cd68fa2c6814c90f9a1cfd36bb68c593","lessThan":"f9b38a8fbfa07f1deaf7ee1eb38fa8b21ea13990","versionType":"git","status":"affected"},{"version":"e27cca96cd68fa2c6814c90f9a1cfd36bb68c593","lessThan":"37487d55bf3300e3d2c1368da5c2bd3e3834ea4f","versionType":"git","status":"affected"},{"version":"e27cca96cd68fa2c6814c90f9a1cfd36bb68c593","lessThan":"c381039ade2e161ab08c0eda73c4f8b9a7115928","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["net/xfrm/espintcp.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"5.6","status":"affected"},{"version":"0","lessThan":"5.6","versionType":"semver","status":"unaffected"},{"version":"5.10.259","lessThanOrEqual":"5.10.*","versionType":"semver","status":"unaffected"},{"version":"5.15.210","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.176","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.143","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.94","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.36","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.13","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]