CVE-2026-23247— tcp: secure_seq: add back ports to TS offset
Affected Version Matrix 9
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 28ee1b746f493b7c62347d714f58fbf4f70df4f0< eae2f14ab2efccdb7480fae7d42c4b0116ef8805 | affected |
28ee1b746f493b7c62347d714f58fbf4f70df4f0< 46e5b0d7cf55821527adea471ffe52a5afbd9caf | affected | ||
28ee1b746f493b7c62347d714f58fbf4f70df4f0< 165573e41f2f66ef98940cf65f838b2cb575d9d1 | affected | ||
443fac9f2618b93cbc5ab068dc594530236b3a23 | affected | ||
4.11 | affected | ||
< 4.11 | unaffected | ||
6.18.17≤ 6.18.* | unaffected | ||
6.19.7≤ 6.19.* | unaffected | ||
| … +1 more rows | |||
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-23247
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
tcp: secure_seq: add back ports to TS offset
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: tcp: secure_seq: add back ports to TS offset This reverts 28ee1b746f49 ("secure_seq: downgrade to per-host timestamp offsets") tcp_tw_recycle went away in 2017. Zhouyan Deng reported off-path TCP source port leakage via SYN cookie side-channel that can be fixed in multiple ways. One of them is to bring back TCP ports in TS offset randomization. As a bonus, we perform a single siphash() computation to provide both an ISN and a TS offset.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于secure_seq函数中未将端口纳入时间戳偏移随机化,可能导致TCP源端口泄露。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-23247
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-23247
请登录查看更多情报信息。
Patch · 3
Same Patch Batch · Linux · 2026-03-18 · 35 CVEs total
| CVE-2026-23246 | 8.8 HIGH | wifi: mac80211: bounds-check link_id in ieee80211_ml_reconfiguration |
| CVE-2026-23268 | 7.8 HIGH | apparmor: fix unprivileged local user can do privileged policy management |
| CVE-2026-23270 | 7.8 HIGH | net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks |
| CVE-2026-23253 | 7.8 HIGH | media: dvb-core: fix wrong reinitialization of ringbuffer on reopen |
| CVE-2026-23243 | 7.8 HIGH | RDMA/umad: Reject negative data_len in ib_umad_write |
| CVE-2026-23245 | 7.8 HIGH | net/sched: act_gate: snapshot parameters with RCU on replace |
| CVE-2026-23248 | 7.8 HIGH | perf/core: Fix refcount bug and potential UAF in perf_mmap |
| CVE-2026-23242 | 7.5 HIGH | RDMA/siw: Fix potential NULL pointer dereference in header processing |
| CVE-2026-23269 | 7.1 HIGH | apparmor: validate DFA start states are in bounds in unpack_pdb |
| CVE-2025-71268 | btrfs: fix reservation leak in some error paths when inserting inline extent | |
| CVE-2025-71265 | fs: ntfs3: fix infinite loop in attr_load_runs_range on inconsistent metadata | |
| CVE-2026-23252 | xfs: get rid of the xchk_xfile_*_descr calls | |
| CVE-2026-23251 | xfs: only call xf{array,blob}_destroy if we have a valid pointer | |
| CVE-2026-23250 | xfs: check return value of xchk_scrub_create_subord | |
| CVE-2026-23249 | xfs: check for deleted cursors when revalidating two btrees | |
| CVE-2026-23244 | nvme: fix memory allocation in nvme_pr_read_keys() | |
| CVE-2025-71267 | fs: ntfs3: fix infinite loop triggered by zero-sized ATTR_LIST | |
| CVE-2025-71266 | fs: ntfs3: check return value of indx_find to avoid infinite loop | |
| CVE-2025-71269 | btrfs: do not free data reservation in fallback from inline due to -ENOSPC | |
| CVE-2025-71270 | LoongArch: Enable exception fixup for specific ADE subcode |
Showing top 20 of 35 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Linux
- CVE-2026-46333
ptrace: slightly saner 'get_dumpable()' logic - CVE-2026-43490
ksmbd: validate inherited ACE SID length - CVE-2026-43489
liveupdate: luo_file: remember retrieve() status - CVE-2026-43487
ata: libata-core: Disable LPM on ST1000DM010-2EP102 - CVE-2026-43488
usb: xhci: Prevent interrupt storm on host controller error
Same vendor: Linux
- CVE-2026-46333
ptrace: slightly saner 'get_dumpable()' logic - CVE-2026-43490
ksmbd: validate inherited ACE SID length - CVE-2026-43489
liveupdate: luo_file: remember retrieve() status - CVE-2026-43487
ata: libata-core: Disable LPM on ST1000DM010-2EP102 - CVE-2026-43488
usb: xhci: Prevent interrupt storm on host controller error
V. Comments for CVE-2026-23247
No comments yet