Cyber Resilience

CVE-2026-22988

High

Published: 23 January 2026

Published
23 January 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 6.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22988 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-22988 is a vulnerability in the Linux kernel's ARP implementation, specifically within the arp_create() function, which incorrectly assumes that the dev_hard_header() callback does not modify skb->head. This assumption was invalidated by a recent commit, potentially leading to incorrect handling of ARP packets. The issue affects Linux kernel users running vulnerable stable versions prior to the application of the fix.

An attacker with local access and low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation enables high-impact consequences, including unauthorized access to sensitive data (C:H), modification of system integrity (I:H), and denial of service through availability disruption (A:H), as indicated by the CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Mitigation is provided through upstream patches committed to the Linux kernel stable repository. Relevant fixes include commits such as 029935507d0af6553c45380fbf6feecf756fd226, 393525dee5c39acff8d6705275d7fcaabcfb7f0a, 70bddc16491ef4681f3569b3a2c80309a3edcdd1, 949647e7771a4a01963fe953a96d81fba7acecf3, and c92510f5e3f82ba11c95991824a41e59a9c5ed81, which initialize the arp pointer after the dev_hard_header() call to restore correct behavior. Security practitioners should update to kernels incorporating these changes.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: arp: do not assume dev_hard_header() does not change skb->head arp_create() is the only dev_hard_header() caller making assumption about skb->head being unchanged. A recent commit broke this assumption. Initialize @arp pointer…

more

after dev_hard_header() call.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel memory corruption in ARP handling allows low-privileged user to achieve arbitrary code execution or full compromise, directly mapping to exploitation for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-71152Same product: Linux Linux Kernel
CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-23387Same product: Linux Linux Kernel
CVE-2025-21856Same product: Linux Linux Kernel
CVE-2025-21727Same product: Linux Linux Kernel
CVE-2026-23275Same product: Linux Linux Kernel
CVE-2026-31401Same product: Linux Linux Kernel
CVE-2024-57980Same product: Linux Linux Kernel
CVE-2026-23437Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.1.160, 6.19, 6.6.120 · 6.12.64 — 6.12.66 · 6.18.4 — 6.18.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 directly requires identification, reporting, and correction of system flaws like CVE-2026-22988 through timely application of Linux kernel patches.

detect

RA-5 mandates vulnerability scanning to identify systems running vulnerable Linux kernel versions affected by CVE-2026-22988.

detect

SI-5 ensures organizations receive security advisories about kernel vulnerabilities like CVE-2026-22988 to initiate remediation processes.

References