Description
In the Linux kernel, the following vulnerability has been resolved:

net: add pskb_may_pull() to skb_gro_receive_list()

skb_gro_receive_list() calls skb_pull(skb, skb_gro_offset(skb)) without
first ensuring the data is in the linear area via pskb_may_pull(). When
the skb arrives via napi_gro_frags(), skb_headlen can be 0 (all data in
page fragments) while skb_gro_offset is non-zero (after IP+TCP header
parsing). The skb_pull() then decrements skb->len by skb_gro_offset
but skb->data_len stays unchanged, hitting BUG_ON(skb->len < skb->data_len)
in __skb_pull().

The UDP fraglist GRO path already contains this guard at
udp_offload.c:749. Adding it to skb_gro_receive_list() itself provides
centralized protection for all callers (TCP, UDP, and any future
protocols), and ensures the precondition of skb_pull() is satisfied
before it is called.

On pskb_may_pull() failure, set NAPI_GRO_CB(skb)->flush = 1 so the
skb is not held as a new GRO head and is instead delivered through the
normal receive path, matching the UDP handling.
Published: 2026-06-25
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel, a flaw was discovered in the Generic Receive Offload (GRO) handling routine where the function skb_gro_receive_list() pulls data from a socket buffer without first verifying that the data resides in the linear part of the buffer. When packets arrive through napi_gro_frags() with all data in page fragments and a non‑zero GRO offset, the incorrectly pulled data triggers a BUG_ON in __skb_pull(), resulting in an immediate kernel panic. The impact is a denial of service that aborts the operating system when the vulnerability is exercised. The weakness is a precondition check failure related to improper buffer bounds handling and aligns with CWE‑125 (Out‑of‑Bounds Read).

Affected Systems

All Linux kernel implementations across distributions are affected, regardless of vendor, as the issue is in core kernel networking code. The problem exists wherever the kernel runs segmented packet processing via GRO, which is common in modern network stacks.

Risk and Exploitability

The absence of EPSS data and that it is not listed in KEV means the exploit probability is not quantified, but the failure leads to a system crash whenever malicious or malformed packets are processed. Given the critical nature of the kernel and the ease of delivering network traffic, the risk is considered high. The vulnerability can be triggered remotely by crafted packets and does not require elevated privileges on the host. No public exploit code is known, but the nature of the bug allows for straightforward exploitation in environments that process network traffic.

Generated by OpenCVE AI on June 25, 2026 at 12:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Linux kernel release that includes the patch from commit 0cde3a0041 or later
  • If using a custom kernel, apply the patch that adds pskb_may_pull() guard to skb_gro_receive_list()
  • If upgrading is not immediately possible, consider temporarily disabling GRO or GRO buffering to prevent the kernel from invoking the vulnerable path.

Generated by OpenCVE AI on June 25, 2026 at 12:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 13:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-125

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: add pskb_may_pull() to skb_gro_receive_list() skb_gro_receive_list() calls skb_pull(skb, skb_gro_offset(skb)) without first ensuring the data is in the linear area via pskb_may_pull(). When the skb arrives via napi_gro_frags(), skb_headlen can be 0 (all data in page fragments) while skb_gro_offset is non-zero (after IP+TCP header parsing). The skb_pull() then decrements skb->len by skb_gro_offset but skb->data_len stays unchanged, hitting BUG_ON(skb->len < skb->data_len) in __skb_pull(). The UDP fraglist GRO path already contains this guard at udp_offload.c:749. Adding it to skb_gro_receive_list() itself provides centralized protection for all callers (TCP, UDP, and any future protocols), and ensures the precondition of skb_pull() is satisfied before it is called. On pskb_may_pull() failure, set NAPI_GRO_CB(skb)->flush = 1 so the skb is not held as a new GRO head and is instead delivered through the normal receive path, matching the UDP handling.
Title net: add pskb_may_pull() to skb_gro_receive_list()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:39:32.518Z

Reserved: 2026-06-09T07:44:35.393Z

Link: CVE-2026-53235

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T12:45:15Z

Weaknesses
  • CWE-119

    Improper Restriction of Operations within the Bounds of a Memory Buffer

  • CWE-125

    Out-of-bounds Read