CVE-2026-53235

HIGH

net: add pskb_may_pull() to skb_gro_receive_list()

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: net: add pskb_may_pull() to skb_gro_receive_list() skb_gro_receive_list() calls skb_pull(skb, skb_gro_offset(skb)) without first ensuring the data is in the linear area via pskb_may_pull(). When the skb arrives via napi_gro_frags(), skb_headlen can be 0 (all data in page fragments) while skb_gro_offset is non-zero (after IP+TCP header parsing). The skb_pull() then decrements skb->len by skb_gro_offset but skb->data_len stays unchanged, hitting BUG_ON(skb->len < skb->data_len) in __skb_pull(). The UDP fraglist GRO path already contains this guard at udp_offload.c:749. Adding it to skb_gro_receive_list() itself provides centralized protection for all callers (TCP, UDP, and any future protocols), and ensures the precondition of skb_pull() is satisfied before it is called. On pskb_may_pull() failure, set NAPI_GRO_CB(skb)->flush = 1 so the skb is not held as a new GRO head and is instead delivered through the normal receive path, matching the UDP handling.

Scores

CVSS v3 7.5
EPSS 0.0047
EPSS Percentile 37.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

Status published
Products (15)
linux/Kernel 6.10.0 - 6.12.94linux
linux/Kernel 6.13.0 - 6.18.36linux
linux/Kernel 6.19.0 - 7.0.13linux
Linux/Linux < 6.10
Linux/Linux 6.10
Linux/Linux 6.12.94 - 6.12.*
Linux/Linux 6.18.36 - 6.18.*
Linux/Linux 7.0.13 - 7.0.*
Linux/Linux 7.1
Linux/Linux 8d95dc474f85481652a0e422d2f1f079de81f63c - 0cde3a004119db637b401c54e77536e4145fc0b4
... and 5 more
Published Jun 25, 2026
Tracked Since Jun 25, 2026