Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: nfnetlink_queue: do shared-unconfirmed check before segmentation

Ulrich reports a regression with nfqueue:

If an application did not set the 'F_GSO' capability flag and a gso
packet with an unconfirmed nf_conn entry is received all packets are
now dropped instead of queued, because the check happens after
skb_gso_segment(). In that case, we did have exclusive ownership
of the skb and its associated conntrack entry. The elevated use
count is due to skb_clone happening via skb_gso_segment().

Move the check so that its peformed vs. the aggregated packet.

Then, annotate the individual segments except the first one so we
can do a 2nd check at reinject time.

For the normal case, where userspace does in-order reinjects, this avoids
packet drops: first reinjected segment continues traversal and confirms
entry, remaining segments observe the confirmed entry.

While at it, simplify nf_ct_drop_unconfirmed(): We only care about
unconfirmed entries with a refcnt > 1, there is no need to special-case
dying entries.

This only happens with UDP. With TCP, the only unconfirmed packet will
be the TCP SYN, those aren't aggregated by GRO.

Next patch adds a udpgro test case to cover this scenario.
Published: 2026-05-27
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

During the handling of GSO packets by the Linux kernel's netfilter nfnetlink_queue module, the check for unconfirmed connection entries mistakenly occurs after packet segmentation. If an application lacks the F_GSO capability flag and receives a GSO UDP packet with an unconfirmed nf_conn entry, all segments are dropped rather than queued. This logic flaw results in a denial‑of‑service condition for UDP traffic routed through nfqueue, with no impact on system integrity or confidentiality.

Affected Systems

All Linux kernel releases that include the nfnetlink_queue module before the commit that moves the unconfirmed check to precede segmentation. The affected products are part of the core Linux kernel across vendors such as Ubuntu, Red Hat, Debian, and others, as represented by the common CPE for the Linux kernel. The patch is included in kernel versions built after the commit referenced in the advisory.

Risk and Exploitability

The CVSS score of 7.5 indicates moderate severity, and the EPSS score is less than 1 per cent, signalling a low probability of active exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector revolves around sending GSO UDP packets to a target that processes packets via nfqueue; this is inferred from the described interaction between GSO handling and connection tracking. However, the description does not explicitly provide an exploit chain or public exploit, so practical exploitation remains uncertain.

Generated by OpenCVE AI on May 30, 2026 at 12:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that incorporates the nfnetlink_queue patch.
  • If an immediate kernel upgrade is not possible, temporarily block GSO UDP traffic destined for nfqueue or disable nfqueue processing until the patch is applied.
  • After applying the patch, restart the networking stack (or reboot) and verify that UDP traffic through nfqueue flows normally.

Generated by OpenCVE AI on May 30, 2026 at 12:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 30 May 2026 11:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Thu, 28 May 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-606

Thu, 28 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-367
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 27 May 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-606

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_queue: do shared-unconfirmed check before segmentation Ulrich reports a regression with nfqueue: If an application did not set the 'F_GSO' capability flag and a gso packet with an unconfirmed nf_conn entry is received all packets are now dropped instead of queued, because the check happens after skb_gso_segment(). In that case, we did have exclusive ownership of the skb and its associated conntrack entry. The elevated use count is due to skb_clone happening via skb_gso_segment(). Move the check so that its peformed vs. the aggregated packet. Then, annotate the individual segments except the first one so we can do a 2nd check at reinject time. For the normal case, where userspace does in-order reinjects, this avoids packet drops: first reinjected segment continues traversal and confirms entry, remaining segments observe the confirmed entry. While at it, simplify nf_ct_drop_unconfirmed(): We only care about unconfirmed entries with a refcnt > 1, there is no need to special-case dying entries. This only happens with UDP. With TCP, the only unconfirmed packet will be the TCP SYN, those aren't aggregated by GRO. Next patch adds a udpgro test case to cover this scenario.
Title netfilter: nfnetlink_queue: do shared-unconfirmed check before segmentation
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-30T10:45:35.721Z

Reserved: 2026-05-13T15:03:33.079Z

Link: CVE-2026-45859

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:16:58.060

Modified: 2026-06-17T10:52:37.300

Link: CVE-2026-45859

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-45859 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T12:30:23Z

Weaknesses
  • CWE-367

    Time-of-check Time-of-use (TOCTOU) Race Condition