CVE-2026-43036 - Vulnerability Details

- net: use skb_header_pointer() for TCPv4 GSO frag_off check

Description

In the Linux kernel, the following vulnerability has been resolved:

net: use skb_header_pointer() for TCPv4 GSO frag_off check

Syzbot reported a KMSAN uninit-value warning in gso_features_check()
called from netif_skb_features() [1].

gso_features_check() reads iph->frag_off to decide whether to clear
mangleid_features. Accessing the IPv4 header via ip_hdr()/inner_ip_hdr()
can rely on skb header offsets that are not always safe for direct
dereference on packets injected from PF_PACKET paths.

Use skb_header_pointer() for the TCPv4 frag_off check so the header read
is robust whether data is already linear or needs copying.

[1] https://syzkaller.appspot.com/bug?extid=1543a7d954d9c6d00407

Published: 2026-05-01

Score: 5.5 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The kernel incorrectly reads the IPv4 fragment offset field (frag_off) from packets received via the PF_PACKET path using a direct memory dereference. Because the packet header may not be linear, this can cause the kernel to read uninitialized or invalid memory, triggering a KMSAN uninitialized‑value warning or a kernel fault. The unsafe header access may corrupt kernel memory or lead to a crash, resulting in loss of service or system instability.

Affected Systems

All Linux kernel builds released before the commit that switches the frag_off check to skb_header_pointer(). The vulnerability affects every distribution or custom kernel running the affected kernel version, regardless of configuration.

Risk and Exploitability

The CVSS score of 5.5 classifies this issue as medium severity. Because there is no EPSS score or KEV listing, the exact likelihood of exploitation remains unclear. The likely attack vector would involve injecting crafted packets with the PF_PACKET socket, which usually requires CAP_NET_RAW or root privileges. An attacker with such privileges could trigger the unsafe header read, potentially causing a kernel fault and system instability.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`cbc53e08a793b073e79f42ca33f1f3568703540d`	affected	< f7a6cd508e9e825a2c69fa9e13d41ee156852f25
`cbc53e08a793b073e79f42ca33f1f3568703540d`	affected	< cc91202fc20a44aab4c206f12a2bfe05da936051
`cbc53e08a793b073e79f42ca33f1f3568703540d`	affected	< d970341cfa5594614c7a6634886c7688b4f5cafd
`cbc53e08a793b073e79f42ca33f1f3568703540d`	affected	< ddc748a391dd8642ba6b2e4fe22e7f2ddf84b7f0

Linux

affected

Version	Status	Constraints
`4.7`	affected	—
`0`	unaffected	< 4.7
`6.12.81`	unaffected	≤ 6.12.*
`6.18.22`	unaffected	≤ 6.18.*
`6.19.12`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[cbc53e08a793b073e79f42ca33f1f3568703540d,f7a6cd508e9e825a2c69fa9e13d41ee156852f25)`	affected	code_commit	—
`[cbc53e08a793b073e79f42ca33f1f3568703540d,cc91202fc20a44aab4c206f12a2bfe05da936051)`	affected	code_commit	—
`[cbc53e08a793b073e79f42ca33f1f3568703540d,d970341cfa5594614c7a6634886c7688b4f5cafd)`	affected	code_commit	—
`[cbc53e08a793b073e79f42ca33f1f3568703540d,ddc748a391dd8642ba6b2e4fe22e7f2ddf84b7f0)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`4.7`	affected	semver	—
`[0,4.7)`	unaffected	semver	—
`[6.12.81,6.13.0)`	unaffected	semver	—
`[6.18.22,6.19.0)`	unaffected	semver	—
`[6.19.12,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Linux kernel patch that introduces skb_header_pointer() for TCPv4 GSO frag_off checks
Reboot the system immediately after the patch to ensure all running processes use the updated kernel
If the patch is not yet available, restrict PF_PACKET traffic to trusted users or block it entirely on untrusted hosts

Generated by OpenCVE AI on May 2, 2026 at 07:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/cc91202fc20a44aab4c206f12a2bfe05da936051
https://git.kernel.org/stable/c/d970341cfa5594614c7a6634886c7688b4f5cafd
https://git.kernel.org/stable/c/ddc748a391dd8642ba6b2e4fe22e7f2ddf84b7f0
https://git.kernel.org/stable/c/f7a6cd508e9e825a2c69fa9e13d41ee156852f25
https://lore.kernel.org/linux-cve-announce/2026050102-CVE-2026-43036-1ff1@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43036
https://www.cve.org/CVERecord?id=CVE-2026-43036

History

Sat, 02 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-824
References		https://lore.kernel.org/linux-cve-announce/2026050102-CVE-2026-43036-1ff1@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43036 https://www.cve.org/CVERecord?id=CVE-2026-43036
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Low`

Fri, 01 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: net: use skb_header_pointer() for TCPv4 GSO frag_off check Syzbot reported a KMSAN uninit-value warning in gso_features_check() called from netif_skb_features() [1]. gso_features_check() reads iph->frag_off to decide whether to clear mangleid_features. Accessing the IPv4 header via ip_hdr()/inner_ip_hdr() can rely on skb header offsets that are not always safe for direct dereference on packets injected from PF_PACKET paths. Use skb_header_pointer() for the TCPv4 frag_off check so the header read is robust whether data is already linear or needs copying. [1] https://syzkaller.appspot.com/bug?extid=1543a7d954d9c6d00407
Title		net: use skb_header_pointer() for TCPv4 GSO frag_off check
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/cc91202fc20a44aab4c206f12a2bfe05da936051 https://git.kernel.org/stable/c/d970341cfa5594614c7a6634886c7688b4f5cafd https://git.kernel.org/stable/c/ddc748a391dd8642ba6b2e4fe22e7f2ddf84b7f0 https://git.kernel.org/stable/c/f7a6cd508e9e825a2c69fa9e13d41ee156852f25

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-01T14:15:34.640Z

Updated: 2026-05-01T14:15:34.640Z

Reserved: 2026-05-01T14:12:55.977Z

Link: CVE-2026-43036

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-01T15:16:48.273

Modified: 2026-05-01T15:24:14.893

Link: CVE-2026-43036

Redhat

Severity : Low

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-43036 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-02T07:15:16Z

Weaknesses

CWE-824

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object