Description
In the Linux kernel, the following vulnerability has been resolved:

net: skb: fix cross-cache free of KFENCE-allocated skb head

SKB_SMALL_HEAD_CACHE_SIZE is intentionally set to a non-power-of-2
value (e.g. 704 on x86_64) to avoid collisions with generic kmalloc
bucket sizes. This ensures that skb_kfree_head() can reliably use
skb_end_offset to distinguish skb heads allocated from
skb_small_head_cache vs. generic kmalloc caches.

However, when KFENCE is enabled, kfence_ksize() returns the exact
requested allocation size instead of the slab bucket size. If a caller
(e.g. bpf_test_init) allocates skb head data via kzalloc() and the
requested size happens to equal SKB_SMALL_HEAD_CACHE_SIZE, then
slab_build_skb() -> ksize() returns that exact value. After subtracting
skb_shared_info overhead, skb_end_offset ends up matching
SKB_SMALL_HEAD_HEADROOM, causing skb_kfree_head() to incorrectly free
the object to skb_small_head_cache instead of back to the original
kmalloc cache, resulting in a slab cross-cache free:

kmem_cache_free(skbuff_small_head): Wrong slab cache. Expected
skbuff_small_head but got kmalloc-1k

Fix this by always calling kfree(head) in skb_kfree_head(). This keeps
the free path generic and avoids allocator-specific misclassification
for KFENCE objects.
Published: 2026-04-20
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Kernel memory corruption via improper cross‑cache free
Action: Patch promptly
AI Analysis

Impact

The Linux kernel contains a flaw in the network buffer (skb) free logic. When Kernel‑Fences are enabled, the allocator returns the requested size instead of the slab bucket size, causing the deallocation routine to misclassify the object and free it to the wrong slab cache. This cross‑cache free can corrupt kernel memory or trigger a crash, potentially allowing an attacker to gain control or cause denial of service.

Affected Systems

The vulnerability applies to any Linux kernel that uses the skb subsystem with KFENCE enabled. All kernel releases that ship the code unchanged prior to the patch are affected. No specific vendor or distribution list is supplied, so the impact is described in terms of the generic Linux kernel.

Risk and Exploitability

The CVSS score is not listed, and the EPSS score is unavailable; however the nature of the flaw—freeing memory to an incorrect cache—indicates a high‑severity risk. The vulnerability is not yet in CISA’s KEV catalog. The most likely attack vector is local manipulation of user‑space code that triggers skb allocation, such as malicious BPF programs or crafted network packets, to exploit the misfree and corrupt kernel memory.

Generated by OpenCVE AI on April 20, 2026 at 11:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official upstream kernel patch that changes skb_kfree_head to always use kfree().
  • If patching is not immediately possible, recompile the kernel with KFENCE disabled (CONFIG_KFENCE=n).
  • Audit and restrict user‑space code that can trigger skb allocation, especially BPF programs, until a patch or disabling of KFENCE is possible.

Generated by OpenCVE AI on April 20, 2026 at 11:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Mon, 20 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: skb: fix cross-cache free of KFENCE-allocated skb head SKB_SMALL_HEAD_CACHE_SIZE is intentionally set to a non-power-of-2 value (e.g. 704 on x86_64) to avoid collisions with generic kmalloc bucket sizes. This ensures that skb_kfree_head() can reliably use skb_end_offset to distinguish skb heads allocated from skb_small_head_cache vs. generic kmalloc caches. However, when KFENCE is enabled, kfence_ksize() returns the exact requested allocation size instead of the slab bucket size. If a caller (e.g. bpf_test_init) allocates skb head data via kzalloc() and the requested size happens to equal SKB_SMALL_HEAD_CACHE_SIZE, then slab_build_skb() -> ksize() returns that exact value. After subtracting skb_shared_info overhead, skb_end_offset ends up matching SKB_SMALL_HEAD_HEADROOM, causing skb_kfree_head() to incorrectly free the object to skb_small_head_cache instead of back to the original kmalloc cache, resulting in a slab cross-cache free: kmem_cache_free(skbuff_small_head): Wrong slab cache. Expected skbuff_small_head but got kmalloc-1k Fix this by always calling kfree(head) in skb_kfree_head(). This keeps the free path generic and avoids allocator-specific misclassification for KFENCE objects.
Title net: skb: fix cross-cache free of KFENCE-allocated skb head
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-20T09:43:03.194Z

Reserved: 2026-03-09T15:48:24.089Z

Link: CVE-2026-31429

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-20T10:16:16.737

Modified: 2026-04-20T10:16:16.737

Link: CVE-2026-31429

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T12:00:05Z

Weaknesses