Description
In the Linux kernel, the following vulnerability has been resolved:

net: pull headers in qdisc_pkt_len_segs_init()

Most ndo_start_xmit() methods expects headers of gso packets
to be already in skb->head.

net/core/tso.c users are particularly at risk, because tso_build_hdr()
does a memcpy(hdr, skb->data, hdr_len);

qdisc_pkt_len_segs_init() already does a dissection of gso packets.

Use pskb_may_pull() instead of skb_header_pointer() to make
sure drivers do not have to reimplement this.

Some malicious packets could be fed, detect them so that we can
drop them sooner with a new SKB_DROP_REASON_SKB_BAD_GSO drop_reason.
Published: 2026-06-24
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An out-of-bounds memory read occurs in the kernel function qdisc_pkt_len_segs_init when it uses skb_header_pointer to pull packet headers for GSO packets. A crafted GSO packet can trigger the vulnerability, exposing uninitialized memory to the kernel. The resulting crash can halt the machine, providing an attacker with a remote denial‑of‑service vector.

Affected Systems

All Linux kernel builds that do not include the patch committed by 7fb4c19670110f052c04e1ec1d2b953b9f4f57e4 are affected. This covers virtually every distribution kernel prior to that commit, regardless of version, as the vulnerability resides in core networking code.

Risk and Exploitability

The flaw carries a CVSS score of 8.4, indicating high severity, but its EPSS score is under 1%, signifying a low current likelihood of exploitation. The bug is not listed in CISA’s KEV catalog. An attacker can deliver a specially crafted GSO packet over the network; no authentication is required. If successful, the kernel crash causes a system‑wide denial of service.

Generated by OpenCVE AI on June 28, 2026 at 14:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that incorporates the qdisc_pkt_len_segs_init patch replacing skb_header_pointer with pskb_may_pull.
  • Disable Generic Segmentation Offload (GSO) on network interfaces if an immediate kernel upgrade is not available.
  • Configure network monitoring or firewall rules to drop malformed GSO packets, leveraging the SKB_DROP_REASON_SKB_BAD_GSO drop reason once the patch is applied.

Generated by OpenCVE AI on June 28, 2026 at 14:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 28 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CWE-811

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H'}


Thu, 25 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-131
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important


Wed, 24 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CWE-811

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: pull headers in qdisc_pkt_len_segs_init() Most ndo_start_xmit() methods expects headers of gso packets to be already in skb->head. net/core/tso.c users are particularly at risk, because tso_build_hdr() does a memcpy(hdr, skb->data, hdr_len); qdisc_pkt_len_segs_init() already does a dissection of gso packets. Use pskb_may_pull() instead of skb_header_pointer() to make sure drivers do not have to reimplement this. Some malicious packets could be fed, detect them so that we can drop them sooner with a new SKB_DROP_REASON_SKB_BAD_GSO drop_reason.
Title net: pull headers in qdisc_pkt_len_segs_init()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-07-15T00:45:00.084Z

Reserved: 2026-06-09T07:44:35.384Z

Link: CVE-2026-53091

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-53091 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T14:30:07Z

Weaknesses
  • CWE-131

    Incorrect Calculation of Buffer Size