CVE-2026-22988
Published: 23 January 2026
Summary
CVE-2026-22988 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-22988 is a vulnerability in the Linux kernel's ARP implementation, specifically within the arp_create() function, which incorrectly assumes that the dev_hard_header() callback does not modify skb->head. This assumption was invalidated by a recent commit, potentially leading to incorrect handling of ARP packets. The issue affects Linux kernel users running vulnerable stable versions prior to the application of the fix.
An attacker with local access and low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation enables high-impact consequences, including unauthorized access to sensitive data (C:H), modification of system integrity (I:H), and denial of service through availability disruption (A:H), as indicated by the CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Mitigation is provided through upstream patches committed to the Linux kernel stable repository. Relevant fixes include commits such as 029935507d0af6553c45380fbf6feecf756fd226, 393525dee5c39acff8d6705275d7fcaabcfb7f0a, 70bddc16491ef4681f3569b3a2c80309a3edcdd1, 949647e7771a4a01963fe953a96d81fba7acecf3, and c92510f5e3f82ba11c95991824a41e59a9c5ed81, which initialize the arp pointer after the dev_hard_header() call to restore correct behavior. Security practitioners should update to kernels incorporating these changes.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4299
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: arp: do not assume dev_hard_header() does not change skb->head arp_create() is the only dev_hard_header() caller making assumption about skb->head being unchanged. A recent commit broke this assumption. Initialize @arp pointer…
more
after dev_hard_header() call.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel memory corruption in ARP handling allows low-privileged user to achieve arbitrary code execution or full compromise, directly mapping to exploitation for privilege escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 directly requires identification, reporting, and correction of system flaws like CVE-2026-22988 through timely application of Linux kernel patches.
RA-5 mandates vulnerability scanning to identify systems running vulnerable Linux kernel versions affected by CVE-2026-22988.
SI-5 ensures organizations receive security advisories about kernel vulnerabilities like CVE-2026-22988 to initiate remediation processes.