{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23247", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.989Z", "datePublished": "2026-03-18T10:05:09.353Z", "dateUpdated": "2026-03-18T10:05:09.353Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-18T10:05:09.353Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: secure_seq: add back ports to TS offset\n\nThis reverts 28ee1b746f49 (\"secure_seq: downgrade to per-host timestamp offsets\")\n\ntcp_tw_recycle went away in 2017.\n\nZhouyan Deng reported off-path TCP source port leakage via\nSYN cookie side-channel that can be fixed in multiple ways.\n\nOne of them is to bring back TCP ports in TS offset randomization.\n\nAs a bonus, we perform a single siphash() computation\nto provide both an ISN and a TS offset."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/net/secure_seq.h", "include/net/tcp.h", "net/core/secure_seq.c", "net/ipv4/syncookies.c", "net/ipv4/tcp_input.c", "net/ipv4/tcp_ipv4.c", "net/ipv6/syncookies.c", "net/ipv6/tcp_ipv6.c"], "versions": [{"version": "28ee1b746f493b7c62347d714f58fbf4f70df4f0", "lessThan": "eae2f14ab2efccdb7480fae7d42c4b0116ef8805", "status": "affected", "versionType": "git"}, {"version": "28ee1b746f493b7c62347d714f58fbf4f70df4f0", "lessThan": "46e5b0d7cf55821527adea471ffe52a5afbd9caf", "status": "affected", "versionType": "git"}, {"version": "28ee1b746f493b7c62347d714f58fbf4f70df4f0", "lessThan": "165573e41f2f66ef98940cf65f838b2cb575d9d1", "status": "affected", "versionType": "git"}, {"version": "443fac9f2618b93cbc5ab068dc594530236b3a23", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/net/secure_seq.h", "include/net/tcp.h", "net/core/secure_seq.c", "net/ipv4/syncookies.c", "net/ipv4/tcp_input.c", "net/ipv4/tcp_ipv4.c", "net/ipv6/syncookies.c", "net/ipv6/tcp_ipv6.c"], "versions": [{"version": "4.11", "status": "affected"}, {"version": "0", "lessThan": "4.11", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.11", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.11", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.11", "versionEndExcluding": "7.0-rc3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.10.14"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/eae2f14ab2efccdb7480fae7d42c4b0116ef8805"}, {"url": "https://git.kernel.org/stable/c/46e5b0d7cf55821527adea471ffe52a5afbd9caf"}, {"url": "https://git.kernel.org/stable/c/165573e41f2f66ef98940cf65f838b2cb575d9d1"}], "title": "tcp: secure_seq: add back ports to TS offset", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: secure_seq: add back ports to TS offset\n\nThis reverts 28ee1b746f49 (\"secure_seq: downgrade to per-host timestamp offsets\")\n\ntcp_tw_recycle went away in 2017.\n\nZhouyan Deng reported off-path TCP source port leakage via\nSYN cookie side-channel that can be fixed in multiple ways.\n\nOne of them is to bring back TCP ports in TS offset randomization.\n\nAs a bonus, we perform a single siphash() computation\nto provide both an ISN and a TS offset."}], "id": "CVE-2026-23247", "lastModified": "2026-03-18T14:52:44.227", "metrics": {}, "published": "2026-03-18T11:16:16.723", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/165573e41f2f66ef98940cf65f838b2cb575d9d1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/46e5b0d7cf55821527adea471ffe52a5afbd9caf"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/eae2f14ab2efccdb7480fae7d42c4b0116ef8805"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: tcp: secure_seq: add back ports to TS offset", "id": "2448598", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448598"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2026-23247", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23247\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23247\nhttps://lore.kernel.org/linux-cve-announce/2026031818-CVE-2026-23247-07b3@gregkh/T"], "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[28ee1b746f493b7c62347d714f58fbf4f70df4f0,eae2f14ab2efccdb7480fae7d42c4b0116ef8805)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[28ee1b746f493b7c62347d714f58fbf4f70df4f0,46e5b0d7cf55821527adea471ffe52a5afbd9caf)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[28ee1b746f493b7c62347d714f58fbf4f70df4f0,165573e41f2f66ef98940cf65f838b2cb575d9d1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "443fac9f2618b93cbc5ab068dc594530236b3a23"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "4.11"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,4.11)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.17,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.7,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc3,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-03-19T01:53:59.498140+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to a version that includes the secure_seq patch restoring port usage for timestamp offset randomization", "Verify the running kernel (uname -r) to ensure the patch hash matches the updated release", "Reboot or reload networking after the kernel upgrade to activate the changes"], "summary": {"action": "Apply Patch", "impact": "Source Port Disclosure"}, "threat_synthesis": {"affected_systems": "All systems running a Linux kernel that applied the downgrade patch but have not yet incorporated the recent fix that restores port usage in the secure_seq subsystem. The CPE entry lists any Linux kernel, indicating widespread impact across distributions until the patch is deployed. No explicit version numbers are supplied, so any kernel version that adopted the downgrade is vulnerable until updated.", "description_and_impact": "The flaw originates from the Linux kernel\u2019s decision to downgrade per\u2011host TCP timestamp offset randomization, removing TCP ports from the timestamp offset calculation. This change creates a side\u2011channel that allows an off\u2011path observer of SYN and SYN\u2011ACK packets to infer the client\u2019s TCP source port, as reported by Zhouyan Deng. The side\u2011channel can be closed by reinstating port usage in the timestamp randomization routine, a fix already merged in recent kernel releases. The resulting information disclosure reduces the entropy of the source port, potentially aiding attackers in crafting more efficient off\u2011path exploits. The weakness aligns with CWE\u2011200 (Information Exposure).", "risk_and_exploitability": "The CVSS score of 5.5 denotes moderate severity, while the EPSS probability of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an off\u2011path position capable of observing TCP handshakes; it does not grant remote code execution, privilege escalation, or denial of service. Attackers would use the reduced port entropy to assist with traffic analysis or advanced port\u2011guessing attacks within the normal TCP communication flow."}}}}, "created": "2026-03-18T12:12:45.101164+00:00", "updated": "2026-03-24T10:58:54.900145+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-200"]}