Description
In the Linux kernel, the following vulnerability has been resolved:

net: add pskb_may_pull() to skb_gro_receive_list()

skb_gro_receive_list() calls skb_pull(skb, skb_gro_offset(skb)) without
first ensuring the data is in the linear area via pskb_may_pull(). When
the skb arrives via napi_gro_frags(), skb_headlen can be 0 (all data in
page fragments) while skb_gro_offset is non-zero (after IP+TCP header
parsing). The skb_pull() then decrements skb->len by skb_gro_offset
but skb->data_len stays unchanged, hitting BUG_ON(skb->len < skb->data_len)
in __skb_pull().

The UDP fraglist GRO path already contains this guard at
udp_offload.c:749. Adding it to skb_gro_receive_list() itself provides
centralized protection for all callers (TCP, UDP, and any future
protocols), and ensures the precondition of skb_pull() is satisfied
before it is called.

On pskb_may_pull() failure, set NAPI_GRO_CB(skb)->flush = 1 so the
skb is not held as a new GRO head and is instead delivered through the
normal receive path, matching the UDP handling.
Published: 2026-06-25
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel has a flaw in the skb_gro_receive_list() routine. The function pulls data from a socket buffer without ensuring the data is in the linear region, which triggers a BUG_ON when the buffer length becomes less than the data length. This leads to an immediate kernel crash. The bug is characterized by CWE‑805, Improper Boundary Calculation, and results in a denial‑of‑service condition.

Affected Systems

All Linux kernel implementations across distributions are affected, as the issue resides in core networking code that is part of the kernel. Without specific version information, the vulnerability may impact all current kernel releases until the patch is applied. The fix was introduced in commit 0cde3a0041, so any kernel newer than this commit is safe.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, while the EPSS score of < 1 % shows a very low but non‑zero exploitation probability. The vulnerability is not listed in CISA KEV and no publicly documented exploit currently exists. Attack would likely require delivery of malformed packets that trigger the GRO path; thus the attack vector is inferred as network‑based. The resulting kernel panic would cause a denial of service to the affected host.

Generated by OpenCVE AI on June 28, 2026 at 14:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Linux kernel patch that adds the pskb_may_pull guard to skb_gro_receive_list() (commit 0cde3a0041 or later).
  • Upgrade the system to a kernel release that includes the patch.
  • Monitor kernel logs for BUG_ON incidents or panics that may indicate exploitation attempts.

Generated by OpenCVE AI on June 28, 2026 at 14:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


Fri, 26 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-125

Fri, 26 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-805
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate


Thu, 25 Jun 2026 13:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-125

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: add pskb_may_pull() to skb_gro_receive_list() skb_gro_receive_list() calls skb_pull(skb, skb_gro_offset(skb)) without first ensuring the data is in the linear area via pskb_may_pull(). When the skb arrives via napi_gro_frags(), skb_headlen can be 0 (all data in page fragments) while skb_gro_offset is non-zero (after IP+TCP header parsing). The skb_pull() then decrements skb->len by skb_gro_offset but skb->data_len stays unchanged, hitting BUG_ON(skb->len < skb->data_len) in __skb_pull(). The UDP fraglist GRO path already contains this guard at udp_offload.c:749. Adding it to skb_gro_receive_list() itself provides centralized protection for all callers (TCP, UDP, and any future protocols), and ensures the precondition of skb_pull() is satisfied before it is called. On pskb_may_pull() failure, set NAPI_GRO_CB(skb)->flush = 1 so the skb is not held as a new GRO head and is instead delivered through the normal receive path, matching the UDP handling.
Title net: add pskb_may_pull() to skb_gro_receive_list()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:40:45.131Z

Reserved: 2026-06-09T07:44:35.393Z

Link: CVE-2026-53235

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53235 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T14:15:08Z

Weaknesses
  • CWE-805

    Buffer Access with Incorrect Length Value