7.5
/ 10
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Description
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nfnetlink_queue: do shared-unconfirmed check before segmentation
Ulrich reports a regression with nfqueue:
If an application did not set the 'F_GSO' capability flag and a gso
packet with an unconfirmed nf_conn entry is received all packets are
now dropped instead of queued, because the check happens after
skb_gso_segment(). In that case, we did have exclusive ownership
of the skb and its associated conntrack entry. The elevated use
count is due to skb_clone happening via skb_gso_segment().
Move the check so that its peformed vs. the aggregated packet.
Then, annotate the individual segments except the first one so we
can do a 2nd check at reinject time.
For the normal case, where userspace does in-order reinjects, this avoids
packet drops: first reinjected segment continues traversal and confirms
entry, remaining segments observe the confirmed entry.
While at it, simplify nf_ct_drop_unconfirmed(): We only care about
unconfirmed entries with a refcnt > 1, there is no need to special-case
dying entries.
This only happens with UDP. With TCP, the only unconfirmed packet will
be the TCP SYN, those aren't aggregated by GRO.
Next patch adds a udpgro test case to cover this scenario.
netfilter: nfnetlink_queue: do shared-unconfirmed check before segmentation
Ulrich reports a regression with nfqueue:
If an application did not set the 'F_GSO' capability flag and a gso
packet with an unconfirmed nf_conn entry is received all packets are
now dropped instead of queued, because the check happens after
skb_gso_segment(). In that case, we did have exclusive ownership
of the skb and its associated conntrack entry. The elevated use
count is due to skb_clone happening via skb_gso_segment().
Move the check so that its peformed vs. the aggregated packet.
Then, annotate the individual segments except the first one so we
can do a 2nd check at reinject time.
For the normal case, where userspace does in-order reinjects, this avoids
packet drops: first reinjected segment continues traversal and confirms
entry, remaining segments observe the confirmed entry.
While at it, simplify nf_ct_drop_unconfirmed(): We only care about
unconfirmed entries with a refcnt > 1, there is no need to special-case
dying entries.
This only happens with UDP. With TCP, the only unconfirmed packet will
be the TCP SYN, those aren't aggregated by GRO.
Next patch adds a udpgro test case to cover this scenario.
Basic Information
ID
CVE-2026-45859
Source
Linux
Published
May 27, 2026 at 12:15
Modified
May 30, 2026 at 10:45
Affected Product
Vendor
Linux
Product
Linux
Version
7d8dc1c7be8d3509e8f5164dd5df64c8e34d7eeb
Affected Versions
Linux Linux 7d8dc1c7be8d3509e8f5164dd5df64c8e34d7eeb
Linux Linux 7d8dc1c7be8d3509e8f5164dd5df64c8e34d7eeb
Linux Linux 7d8dc1c7be8d3509e8f5164dd5df64c8e34d7eeb
Linux Linux 7d8dc1c7be8d3509e8f5164dd5df64c8e34d7eeb
Linux Linux 6c4a0ba674f410ab99a30a16f32dac0ebfed5cd3
Linux Linux 6dcc8ba8a6074bb79040f502dc66ad23a58a1c86
Linux Linux 74e6eb7fd27ef1ccc68041dbc66e6d80d2e4a1a0
Linux Linux 025b3326c5c409b372d0103ad30f174e55adbd1b
Linux Linux 5.15.166
Linux Linux 6.1.107
Linux Linux 6.6.48
Linux Linux 6.10.7
Linux Linux 6.11
Linux Linux 7d8dc1c7be8d3509e8f5164dd5df64c8e34d7eeb
Linux Linux 7d8dc1c7be8d3509e8f5164dd5df64c8e34d7eeb
Linux Linux 7d8dc1c7be8d3509e8f5164dd5df64c8e34d7eeb
Linux Linux 6c4a0ba674f410ab99a30a16f32dac0ebfed5cd3
Linux Linux 6dcc8ba8a6074bb79040f502dc66ad23a58a1c86
Linux Linux 74e6eb7fd27ef1ccc68041dbc66e6d80d2e4a1a0
Linux Linux 025b3326c5c409b372d0103ad30f174e55adbd1b
Linux Linux 5.15.166
Linux Linux 6.1.107
Linux Linux 6.6.48
Linux Linux 6.10.7
Linux Linux 6.11