CVE-2026-23016 Overview
CVE-2026-23016 is a vulnerability in the Linux kernel's network fragment reassembly subsystem that results in leaked conntrack references. The issue occurs when defragmented SKBs (socket buffers) retain nf_conn references through their fragment lists, which prevents proper conntrack cleanup during network namespace teardown. This can cause conntrack cleanup operations to hang indefinitely, affecting system stability and potentially leading to denial of service conditions.
Critical Impact
This vulnerability can cause conntrack cleanup operations to block for extended periods (60+ seconds), potentially leading to system instability and denial of service when network namespaces are being cleaned up.
Affected Products
- Linux kernel (versions with udp: use skb_attempt_defer_free() commit 6471658dc66c)
- Linux kernel with nf_conntrack enabled
- Systems using IPv4/IPv6 packet defragmentation with conntrack
Discovery Timeline
- 2026-01-31 - CVE CVE-2026-23016 published to NVD
- 2026-02-03 - Last updated in NVD database
Technical Details for CVE-2026-23016
Vulnerability Analysis
The vulnerability stems from improper handling of conntrack references in the Linux kernel's network fragment reassembly code. When fragmented packets are processed through the defragmentation engine, the resulting reassembled SKBs retain nf_conn references from their fragment lists. The function skb_release_head_state() does not follow the fragment list chain, leaving conntrack references attached to fragments that may be queued in per-CPU freelists.
The problematic execution path involves multiple stages of packet processing where conntrack references accumulate but are not properly released. While the TCP and UDP stacks call nf_reset_ct() before placing SKBs on socket queues, this function does not iterate through fragment list SKBs, leaving references orphaned.
Root Cause
The root cause is that skb_release_head_state() does not traverse the fragment list (frag_list) when releasing SKB state. This means when reassembled packets containing fragment lists are freed or deferred, the conntrack references held by individual fragments in the list are not properly decremented.
The issue became reproducible after commit 6471658dc66c which introduced skb_attempt_defer_free() for UDP processing. However, the underlying problem affects any code path where reassembled SKBs with fragment lists retain conntrack references, including TCP when PMTU discovery is disabled.
Attack Vector
The vulnerability can be triggered through the following execution path:
- A network namespace emits fragmented packets
- nf_defrag_v6_hook reassembles packets in the output hook
- Reassembled SKB is tracked and owns an nf_conn reference
- ip6_output refragments the packets
- Refragmented packets inherit nf_conn references via ip6_copy_metadata()
- On input path, nf_defrag_v6_hook skips defragmentation since fragments already have skb->nf_conn attached
- SKBs are reassembled via ipv6_frag_rcv()
- skb_consume_udp calls skb_attempt_defer_free(), placing SKB in per-CPU freelist while retaining nf_conn reference
The vulnerability is reproducible using the ip_defrag.sh selftest with net.core.skb_defer_max=0 disabled. Setting this value to 0 prevents the hang by avoiding the per-CPU freelist code path.
Detection Methods for CVE-2026-23016
Indicators of Compromise
- Kernel warning messages containing conntrack cleanup blocked for 60s in system logs
- Warnings originating from net/netfilter/nf_conntrack_core.c:2512 or similar locations
- System hangs or delays during network namespace cleanup operations
- Increased memory consumption in conntrack tables that doesn't decrease after connection termination
Detection Strategies
- Monitor kernel logs for nf_conntrack_cleanup_net_list() warnings using log aggregation tools
- Implement kernel tracing on skb_attempt_defer_free() calls to identify orphaned conntrack references
- Track conntrack table growth patterns for anomalous reference accumulation
- Use eBPF probes to monitor fragmentation and reassembly operations in production environments
Monitoring Recommendations
- Configure alerting on kernel warning messages related to conntrack cleanup timeouts
- Monitor /proc/net/nf_conntrack for unexpected reference count growth
- Track network namespace creation and destruction events for cleanup delays
- Implement periodic conntrack table auditing to identify leaked references
How to Mitigate CVE-2026-23016
Immediate Actions Required
- Apply the available kernel patches from the official Linux kernel repositories
- Consider setting net.core.skb_defer_max=0 as a temporary mitigation to avoid the per-CPU freelist code path
- Schedule maintenance windows for kernel updates on affected systems
- Monitor systems for conntrack cleanup warnings until patches are applied
Patch Information
The Linux kernel development team has released patches to address this vulnerability. The fix drops nf_conn entries when fragments are placed in the defrag queue, while keeping the nf_conn entry of the first fragment (offset 0) so that reassembled SKBs retain the entry for the TX path.
Patches are available through the official kernel git repositories:
Workarounds
- Set net.core.skb_defer_max=0 to disable the per-CPU freelist behavior that triggers the issue
- Avoid frequent network namespace creation and destruction if possible until patched
- Consider disabling nf_conntrack if not required for your network security policy
- Implement network segmentation to reduce fragmented packet processing load
# Configuration example - temporary workaround
# Disable per-CPU freelist behavior to prevent conntrack reference leaks
sysctl -w net.core.skb_defer_max=0
# Make persistent across reboots
echo "net.core.skb_defer_max=0" >> /etc/sysctl.conf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
