Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: nfnetlink_queue: do shared-unconfirmed check before segmentation

Ulrich reports a regression with nfqueue:

If an application did not set the 'F_GSO' capability flag and a gso
packet with an unconfirmed nf_conn entry is received all packets are
now dropped instead of queued, because the check happens after
skb_gso_segment(). In that case, we did have exclusive ownership
of the skb and its associated conntrack entry. The elevated use
count is due to skb_clone happening via skb_gso_segment().

Move the check so that its peformed vs. the aggregated packet.

Then, annotate the individual segments except the first one so we
can do a 2nd check at reinject time.

For the normal case, where userspace does in-order reinjects, this avoids
packet drops: first reinjected segment continues traversal and confirms
entry, remaining segments observe the confirmed entry.

While at it, simplify nf_ct_drop_unconfirmed(): We only care about
unconfirmed entries with a refcnt > 1, there is no need to special-case
dying entries.

This only happens with UDP. With TCP, the only unconfirmed packet will
be the TCP SYN, those aren't aggregated by GRO.

Next patch adds a udpgro test case to cover this scenario.
Published: 2026-05-27
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A logic flaw in the Linux kernel’s netfilter nfnetlink_queue module causes all received packets to be dropped when a GSO packet arrives with an unconfirmed connection entry and the process lacks the F_GSO capability flag. The kernel performs the unconfirmed check after segmentation, resulting in packet loss. Unlike TCP, where only the SYN packet is unconfirmed, this issue affects UDP traffic routed through nfqueue, potentially disrupting legitimate traffic and producing a denial‑of‑service effect.

Affected Systems

All current Linux kernel builds prior to the patch release, regardless of distribution, as the vulnerability is in the core nfnetlink_queue component. Administrators should verify that their kernels have been updated to versions including the recent commit that moves the unconfirmed check before segmentation.

Risk and Exploitability

The EPSS score is unavailable and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Although no public exploit is documented, the flaw can be triggered by an attacker who sends crafted GSO UDP packets to a target system handling nfqueue traffic, leading to sustained packet drops. The impact is confined to network traffic; no compromise of host integrity or confidentiality is reported. The overall risk is moderate, with the primary concern being service availability.

Generated by OpenCVE AI on May 27, 2026 at 16:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a release that includes the nfnetlink_queue patch
  • In environments where a kernel upgrade is not immediately possible, isolate or block traffic using GSO to nfqueue to avoid the drop; consider disabling nfqueue or using non‑GSO packets until the patch can be applied.
  • After applying the patch, reboot the system or restart networking services to ensure the new kernel is in use and monitor traffic to confirm that packet drops have ceased.

Generated by OpenCVE AI on May 27, 2026 at 16:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-606

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_queue: do shared-unconfirmed check before segmentation Ulrich reports a regression with nfqueue: If an application did not set the 'F_GSO' capability flag and a gso packet with an unconfirmed nf_conn entry is received all packets are now dropped instead of queued, because the check happens after skb_gso_segment(). In that case, we did have exclusive ownership of the skb and its associated conntrack entry. The elevated use count is due to skb_clone happening via skb_gso_segment(). Move the check so that its peformed vs. the aggregated packet. Then, annotate the individual segments except the first one so we can do a 2nd check at reinject time. For the normal case, where userspace does in-order reinjects, this avoids packet drops: first reinjected segment continues traversal and confirms entry, remaining segments observe the confirmed entry. While at it, simplify nf_ct_drop_unconfirmed(): We only care about unconfirmed entries with a refcnt > 1, there is no need to special-case dying entries. This only happens with UDP. With TCP, the only unconfirmed packet will be the TCP SYN, those aren't aggregated by GRO. Next patch adds a udpgro test case to cover this scenario.
Title netfilter: nfnetlink_queue: do shared-unconfirmed check before segmentation
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:15:39.322Z

Reserved: 2026-05-13T15:03:33.079Z

Link: CVE-2026-45859

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:16:58.060

Modified: 2026-05-27T14:48:31.480

Link: CVE-2026-45859

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T17:45:32Z

Weaknesses