PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23247 Linux CVE debrief

CVE-2026-23247 is a Linux kernel TCP hardening issue where a SYN cookie side-channel could leak TCP source-port information. The upstream fix restores port influence in timestamp offset randomization, reversing an earlier change that reduced timestamp offsets to per-host values. NVD rates the issue Medium (CVSS 5.5) and has linked stable kernel patches for remediation.

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-18
Original CVE updated
2026-05-21
Advisory published
2026-03-18
Advisory updated
2026-05-21

Who should care

Linux kernel maintainers, distribution security teams, and operators running affected kernel builds should pay attention, especially where TCP source-port secrecy or traffic-analysis resistance matters.

Technical summary

The issue centers on tcp secure_seq behavior used to generate TCP sequence-related randomness. According to the kernel fix description, removing TCP ports from timestamp offset randomization created a side channel that could expose source-port information through SYN cookie behavior. The upstream remedy adds ports back into TS offset generation and also reuses a single siphash() computation to derive both the Initial Sequence Number and the timestamp offset. NVD currently marks the CVE as analyzed and lists Linux kernel CPEs including versions before 6.18.17 and 6.19.x before 6.19.7, along with specific release entries in the affected set.

Defensive priority

Medium. Patch promptly on exposed or high-value Linux systems, but the issue is primarily a confidentiality/privacy hardening problem rather than an outright service-breaker.

Recommended defensive actions

  • Check whether your deployed Linux kernel falls within the NVD-listed vulnerable ranges or vendor backports derived from them.
  • Apply the relevant kernel updates or distro backports referenced by the linked stable patch commits.
  • Reboot into the updated kernel where required by your patching process.
  • Verify that your vendor kernel includes the timestamp-offset hardening fix and related TCP randomization changes.
  • Prioritize systems where TCP source-port privacy or anti-fingerprinting is operationally important.

Evidence notes

Source corpus indicates CVE publication on 2026-03-18 and a later NVD update on 2026-05-21 with vulnStatus analyzed. The kernel description says: 'tcp: secure_seq: add back ports to TS offset' and states this reverts 'secure_seq: downgrade to per-host timestamp offsets.' It also notes an off-path TCP source-port leakage via SYN cookie side-channel, and that one fix is to bring back TCP ports in TS offset randomization. NVD records CVSS 3.1 vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H and does not list a KEV entry.

Official resources

Publicly disclosed in the CVE record on 2026-03-18; NVD last modified the record on 2026-05-21 after analysis and patch linkage. No CISA KEV entry is listed in the supplied data.