The flaw lies in the Linux kernel’s network packet aggregation routine skb_gro_receive, which copies fragments from a source socket buffer into a GRO socket buffer without verifying whether either buffer uses zero‑copy mode. The SKBFL_MANAGED_FRAG_REFS flag marks a buffer as zero‑copy, meaning its fragment pages are not reference counted. When the routine appends these non‑reference‑counted fragments to another buffer, a dangling reference can arise, resulting in a use‑after‑free that corrupts kernel memory. This corruption could affect critical kernel data structures and lead to instability or arbitrary code execution at the kernel level.

All Linux kernel releases prior to the commit that introduced this fix, i.e., any kernel version lacking commit 1f9c828556416fbe3f49386708ce999fc4d4da06. The vulnerability is relevant on any system that uses the affected kernel and processes network traffic on interfaces enabled for Generic Receive Offload (GRO).

The vulnerability earned a CVSS score of 7.8, indicating high severity, while its EPSS score is under 1%, suggesting a low likelihood of exploitation in the wild. The flaw is not catalogued in CISA’s KEV. The likely attack vector involves an attacker sending specially crafted network packets that trigger the flawed skb_gro_receive path. Exploitation would require network connectivity to the target and would result in kernel memory corruption that could cause a denial of service or provide an escalation path if the attacker controls the memory being corrupted.