Description
In the Linux kernel, the following vulnerability has been resolved:

net: skb: fix cross-cache free of KFENCE-allocated skb head

SKB_SMALL_HEAD_CACHE_SIZE is intentionally set to a non-power-of-2
value (e.g. 704 on x86_64) to avoid collisions with generic kmalloc
bucket sizes. This ensures that skb_kfree_head() can reliably use
skb_end_offset to distinguish skb heads allocated from
skb_small_head_cache vs. generic kmalloc caches.

However, when KFENCE is enabled, kfence_ksize() returns the exact
requested allocation size instead of the slab bucket size. If a caller
(e.g. bpf_test_init) allocates skb head data via kzalloc() and the
requested size happens to equal SKB_SMALL_HEAD_CACHE_SIZE, then
slab_build_skb() -> ksize() returns that exact value. After subtracting
skb_shared_info overhead, skb_end_offset ends up matching
SKB_SMALL_HEAD_HEADROOM, causing skb_kfree_head() to incorrectly free
the object to skb_small_head_cache instead of back to the original
kmalloc cache, resulting in a slab cross-cache free:

kmem_cache_free(skbuff_small_head): Wrong slab cache. Expected
skbuff_small_head but got kmalloc-1k

Fix this by always calling kfree(head) in skb_kfree_head(). This keeps
the free path generic and avoids allocator-specific misclassification
for KFENCE objects.
Published: 2026-04-20
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel contains a flaw in the network buffer (skb) free logic. The flaw corresponds to CWE-763 and, based on the allocation behavior, also reflects a potential mismanagement of resources (CWE-401). When Kernel-Fences are enabled, the allocation routine returns the requested size instead of the slab bucket size, which causes skb_kfree_head() to incorrectly classify the object’s slab cache during deallocation. This cross-cache free can corrupt kernel memory or trigger a kernel crash, potentially affecting system reliability and security.

Affected Systems

This vulnerability applies to any Linux kernel release containing the unchanged skb allocation code before the upstream patch is applied. All distributions that ship the code without changes are impacted. No specific distribution version information is provided, so the affected range is all kernels prior to the committed hotfix.

Risk and Exploitability

The CVSS score of 5.5 indicates a moderate severity vulnerability, while the EPSS score of <1% suggests a low probability of exploitation in the near term. The CVE does not describe a concrete exploitation path; it only notes that an attacker would need to allocate skb heads with the exact size that triggers the misclassifying free. The vulnerability is not listed in CISA’s KEV catalog, and the available evidence points to a moderate risk should a privileged or local attacker be able to trigger the allocation path.

Generated by OpenCVE AI on May 20, 2026 at 20:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the upstream kernel patch that changes skb_kfree_head to always call kfree(), ensuring the free path is generic and avoids allocator‑specific misclassification.
  • Disable KFENCE in the kernel configuration (CONFIG_KFENCE=n) to eliminate the cross‑cache free issue introduced by KFENCE allocations.
  • Review and restrict any user‑space components that create skb heads, such as custom BPF programs or modules, until a patch or KFENCE disabling is in place.
  • Verify correct lock usage around skb allocation and deallocation to address CWE‑763, ensuring proper synchronization.

Generated by OpenCVE AI on May 20, 2026 at 20:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6238-1 linux security update
History

Wed, 20 May 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
References

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Tue, 21 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-763
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H'}

threat_severity

Moderate

Mon, 20 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Mon, 20 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: skb: fix cross-cache free of KFENCE-allocated skb head SKB_SMALL_HEAD_CACHE_SIZE is intentionally set to a non-power-of-2 value (e.g. 704 on x86_64) to avoid collisions with generic kmalloc bucket sizes. This ensures that skb_kfree_head() can reliably use skb_end_offset to distinguish skb heads allocated from skb_small_head_cache vs. generic kmalloc caches. However, when KFENCE is enabled, kfence_ksize() returns the exact requested allocation size instead of the slab bucket size. If a caller (e.g. bpf_test_init) allocates skb head data via kzalloc() and the requested size happens to equal SKB_SMALL_HEAD_CACHE_SIZE, then slab_build_skb() -> ksize() returns that exact value. After subtracting skb_shared_info overhead, skb_end_offset ends up matching SKB_SMALL_HEAD_HEADROOM, causing skb_kfree_head() to incorrectly free the object to skb_small_head_cache instead of back to the original kmalloc cache, resulting in a slab cross-cache free: kmem_cache_free(skbuff_small_head): Wrong slab cache. Expected skbuff_small_head but got kmalloc-1k Fix this by always calling kfree(head) in skb_kfree_head(). This keeps the free path generic and avoids allocator-specific misclassification for KFENCE objects.
Title net: skb: fix cross-cache free of KFENCE-allocated skb head
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:08:32.321Z

Reserved: 2026-03-09T15:48:24.089Z

Link: CVE-2026-31429

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-20T10:16:16.737

Modified: 2026-05-20T19:23:01.650

Link: CVE-2026-31429

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-20T00:00:00Z

Links: CVE-2026-31429 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T20:30:39Z

Weaknesses