CVE-2026-53091 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

net: pull headers in qdisc_pkt_len_segs_init()

Most ndo_start_xmit() methods expects headers of gso packets
to be already in skb->head.

net/core/tso.c users are particularly at risk, because tso_build_hdr()
does a memcpy(hdr, skb->data, hdr_len);

qdisc_pkt_len_segs_init() already does a dissection of gso packets.

Use pskb_may_pull() instead of skb_header_pointer() to make
sure drivers do not have to reimplement this.

Some malicious packets could be fed, detect them so that we can
drop them sooner with a new SKB_DROP_REASON_SKB_BAD_GSO drop_reason.

Published: 2026-06-24

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises from the Linux kernel’s handling of GSO packets in net/tso.c and qdisc_pkt_len_segs_init. A driver that assumes headers are already present in skb->head may call skb_header_pointer, which can return a pointer to uninitialized or out‑of‑bounds memory. When the kernel copies these values, it can read beyond the packet payload or corrupt the skb. This leads to a kernel crash or memory corruption when a malicious packet is received.

Affected Systems

Any Linux kernel implementation that has not incorporated the commit that replaces skb_header_pointer with pskb_may_pull in qdisc_pkt_len_segs_init is affected. That includes most releases prior to the fix listed in the public Git references and applies to all devices running an unpatched kernel.

Risk and Exploitability

The CVSS score is not supplied and EPSS is unavailable, but the vulnerability represents a serious risk to systems exposed to untrusted networks. An attacker only needs to craft a GSO packet with an incorrect header length; if the kernel accepts it, the resulting out‑of‑bounds read can crash the system. Because the code path is in the network stack, exploitation is likely to be local to remote network traffic, and the flaw is already present in production kernels until patched. The flaw has not yet entered the CISA KEV list, but its high impact suggests it could be considered for high‑priority remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`e876f208af18b074f800656e4d1b99da75b2135f`	affected	< 9d4f5c68f5ad4ab425f3ce1500c97c9f9743999a
`e876f208af18b074f800656e4d1b99da75b2135f`	affected	< 7fb4c19670110f052c04e1ec1d2b953b9f4f57e4

Linux

affected

Version	Status	Constraints
`3.16`	affected	—
`0`	unaffected	< 3.16
`7.0.10`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to a kernel version that incorporates the patch for qdisc_pkt_len_segs_init, which replaces skb_header_pointer with pskb_may_pull
If an immediate kernel upgrade is not feasible, disable Generic Segmentation Offload (GSO) on the affected network interfaces to avoid the problematic code path
As a temporary measure, configure the system to drop packets flagged with the SKB_DROP_REASON_SKB_BAD_GSO reason whenever possible
Verify that all network drivers handle GSO packets in accordance with the updated kernel documentation

Generated by OpenCVE AI on June 24, 2026 at 20:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/7fb4c19670110f052c04e1ec1d2b953b9f4f57e4
https://git.kernel.org/stable/c/9d4f5c68f5ad4ab425f3ce1500c97c9f9743999a

History

Wed, 24 Jun 2026 20:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-125 CWE-811

Wed, 24 Jun 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: net: pull headers in qdisc_pkt_len_segs_init() Most ndo_start_xmit() methods expects headers of gso packets to be already in skb->head. net/core/tso.c users are particularly at risk, because tso_build_hdr() does a memcpy(hdr, skb->data, hdr_len); qdisc_pkt_len_segs_init() already does a dissection of gso packets. Use pskb_may_pull() instead of skb_header_pointer() to make sure drivers do not have to reimplement this. Some malicious packets could be fed, detect them so that we can drop them sooner with a new SKB_DROP_REASON_SKB_BAD_GSO drop_reason.
Title		net: pull headers in qdisc_pkt_len_segs_init()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/7fb4c19670110f052c04e1ec1d2b953b9f4f57e4 https://git.kernel.org/stable/c/9d4f5c68f5ad4ab425f3ce1500c97c9f9743999a

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T16:30:30.290Z

Updated: 2026-06-24T16:30:30.290Z

Reserved: 2026-06-09T07:44:35.384Z

Link: CVE-2026-53091

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T20:15:07Z

Weaknesses

CWE-125
Out-of-bounds Read
CWE-811

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object