Description
In the Linux kernel, the following vulnerability has been resolved:

net: gro: fix outer network offset

The udp GRO complete stage assumes that all the packets inserted the RX
have the `encapsulation` flag zeroed. Such assumption is not true, as a
few H/W NICs can set such flag when H/W offloading the checksum for
an UDP encapsulated traffic, the tun driver can inject GSO packets with
UDP encapsulation and the problematic layout can also be created via
a veth based setup.

Due to the above, in the problematic scenarios, udp4_gro_complete() uses
the wrong network offset (inner instead of outer) to compute the outer
UDP header pseudo checksum, leading to csum validation errors later on
in packet processing.

Address the issue always clearing the encapsulation flag at GRO completion
time. Such flag will be set again as needed for encapsulated packets by
udp_gro_complete().
Published: 2026-03-18
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A defect in the Linux kernel’s Generic Receive Offload (GRO) module causes the UDP checksum calculation to use an incorrect network offset when certain network interfaces set an encapsulation flag during offloading. The resulting checksum computation errors prevent packets from passing later validation steps, potentially leading to dropped or rejected traffic. This error can disrupt network communication for affected hosts, representing a modest Denial of Service risk. The weakness arises from improper handling of the encapsulation flag and incorrect offset usage, which aligns with known checksum calculation flaws in networking code.

Affected Systems

All Linux kernel builds that employ the Ethernet GRO path and support UDP checksum offloading are affected. The vulnerability applies to standard distribution kernels and any custom kernel configurations that enable GRO, including those using NICs that set the encapsulation flag or the tun/virtual Ethernet drivers that inject GSO packets. No specific version range is documented, but the fix has been merged into the kernel trunk and will be propagated through subsequent kernel releases. Systems should verify whether they are running a kernel version that contains the patch committing this fix.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, and the EPSS score of less than 1% denotes a low likelihood of current exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require an attacker to deliver specially crafted UDP traffic or to manipulate NIC offloading behavior to trigger the incorrect checksum path. Such attacks are feasible over the network, but for most environments the probability of successful exploitation remains low given the minimal impact beyond packet loss or service interruption.

Generated by OpenCVE AI on June 1, 2026 at 15:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a Linux kernel update that includes the net: gro: fix outer network offset patch. Reboot the system after upgrading to ensure the new kernel is running.
  • If an immediate kernel update is not possible, temporarily disable hardware checksum offloading on affected network interfaces to avoid triggering the incorrect checksum logic.
  • Consider updating or reconfiguring tun or virtual Ethernet drivers, or using NIC drivers that do not set the encapsulation flag, as a supplemental mitigation until a patch is applied.

Generated by OpenCVE AI on June 1, 2026 at 15:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8278-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8289-1 Linux kernel (NVIDIA) vulnerabilities
Ubuntu USN Ubuntu USN USN-8296-1 Linux kernel (FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8296-2 Linux kernel (NVIDIA Tegra) vulnerabilities
Ubuntu USN Ubuntu USN USN-8278-2 Linux kernel (Azure) vulnerabilities
History

Mon, 01 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Mon, 01 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.9:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.9:rc7:*:*:*:*:*:*

Fri, 27 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-398
CWE-665

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-398
CWE-665

Thu, 26 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Wed, 25 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-178

Tue, 24 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-178

Thu, 19 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Wed, 18 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: gro: fix outer network offset The udp GRO complete stage assumes that all the packets inserted the RX have the `encapsulation` flag zeroed. Such assumption is not true, as a few H/W NICs can set such flag when H/W offloading the checksum for an UDP encapsulated traffic, the tun driver can inject GSO packets with UDP encapsulation and the problematic layout can also be created via a veth based setup. Due to the above, in the problematic scenarios, udp4_gro_complete() uses the wrong network offset (inner instead of outer) to compute the outer UDP header pseudo checksum, leading to csum validation errors later on in packet processing. Address the issue always clearing the encapsulation flag at GRO completion time. Such flag will be set again as needed for encapsulated packets by udp_gro_complete().
Title net: gro: fix outer network offset
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-23T16:04:21.918Z

Reserved: 2026-01-13T15:37:45.990Z

Link: CVE-2026-23254

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T18:16:23.530

Modified: 2026-06-01T14:10:37.893

Link: CVE-2026-23254

cve-icon Redhat

Severity : Low

Publid Date: 2026-03-18T00:00:00Z

Links: CVE-2026-23254 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T16:00:17Z

Weaknesses