CVE-2026-23154 Overview
CVE-2026-23154 is a vulnerability in the Linux kernel's network stack affecting Generic Segmentation Offload (GSO) segment handling for fragmented list Generic Receive Offload (GRO) packets. The flaw occurs when forwarding GRO packets that have undergone XLAT (IPv4/IPv6 protocol translation), where the skb_segment_list function cannot correctly process GRO skbs that have been converted, resulting in protocol inconsistencies and reduced network throughput.
The vulnerability specifically impacts network environments where stations access IPv4 servers via hotspots with IPv6-only upstream interfaces. The XLAT translation process only translates the header of the head skb, leaving skbs in the frag_list untranslated, which causes protocol mismatches during GSO segmentation.
Critical Impact
Network throughput degradation and potential packet processing errors when forwarding GRO packets through XLAT protocol translation, affecting IPv4-to-IPv6 and IPv6-to-IPv4 network transitions.
Affected Products
- Linux Kernel (multiple versions with GSO/GRO fraglist handling)
- Systems using XLAT protocol translation (IPv4/IPv6)
- Network configurations with IPv6-only upstream interfaces serving IPv4 traffic
Discovery Timeline
- February 14, 2026 - CVE CVE-2026-23154 published to NVD
- February 18, 2026 - Last updated in NVD database
Technical Details for CVE-2026-23154
Vulnerability Analysis
This vulnerability exists in the Linux kernel's GSO segmentation logic when handling forwarded GRO packets that contain a frag_list. The core issue arises from the interaction between GRO packet aggregation and XLAT protocol translation helpers (bpf_skb_proto_4_to_6 and bpf_skb_proto_6_to_4).
When GRO aggregates packets into a frag_list structure and those packets subsequently undergo XLAT translation, only the head skb's header is translated. The remaining skbs in the frag_list retain their original protocol headers. When skb_segment_list processes these packets, it encounters protocol inconsistencies between the translated head and untranslated fragments, leading to improper segmentation and throughput degradation.
Root Cause
The root cause is the absence of the SKB_GSO_DODGY flag on GSO packets after XLAT protocol translation. Without this flag, the GSO segmentation path uses skb_segment_list, which assumes all fragments share consistent protocol headers. This assumption fails for XLAT-translated packets where frag_list entries may have mismatched protocols, causing the segmentation logic to produce malformed or incorrectly processed packets.
Attack Vector
The attack vector for this vulnerability is network-based, occurring during normal packet forwarding operations. The vulnerability is triggered when:
- A network station connects through a hotspot configured with an IPv6-only upstream interface
- The station attempts to access IPv4 servers, requiring XLAT translation
- GRO aggregates incoming packets into a frag_list structure
- The XLAT helpers translate the protocol headers but only for the head skb
- GSO segmentation processes the inconsistent packet structure, causing throughput issues
The fix addresses this by explicitly setting the SKB_GSO_DODGY flag in the XLAT protocol translation helpers. This flag causes GSO segmentation to use skb_segment instead of skb_segment_list, ensuring proper handling of potentially modified GSO packets.
Detection Methods for CVE-2026-23154
Indicators of Compromise
- Significant network throughput degradation when forwarding traffic through XLAT translation paths
- Increased packet retransmissions or protocol errors in network logs for IPv4-to-IPv6 transition scenarios
- Kernel messages or dmesg entries related to GSO segmentation failures or SKB processing errors
Detection Strategies
- Monitor network interface statistics for unusual packet drop rates or segmentation offload errors
- Implement network performance baselines and alert on throughput anomalies in XLAT translation paths
- Review kernel logs for warnings related to skb_segment_list or GSO processing failures
Monitoring Recommendations
- Enable kernel tracing for network stack functions including skb_segment_list and skb_segment to identify processing anomalies
- Monitor network throughput metrics on systems acting as hotspots or XLAT translation gateways
- Track GRO and GSO statistics via /proc/net/ interfaces for unusual patterns
How to Mitigate CVE-2026-23154
Immediate Actions Required
- Apply the kernel patches from the official kernel git repository to affected systems
- Prioritize patching for systems functioning as network gateways or hotspots with XLAT translation
- Consider temporarily disabling GRO on affected interfaces if immediate patching is not possible
Patch Information
The Linux kernel maintainers have released patches to address this vulnerability. The fix explicitly sets the SKB_GSO_DODGY flag for GSO packets in XLAT's IPv4/IPv6 protocol translation helpers. This ensures that GSO segmentation falls back to skb_segment for XLAT-translated packets, properly handling frag_list entries with potentially inconsistent protocol headers.
Patch commits are available at:
Workarounds
- Temporarily disable Generic Receive Offload (GRO) on interfaces handling XLAT-translated traffic using ethtool -K <interface> gro off
- Reduce MTU sizes on affected interfaces to minimize frag_list formation
- Implement traffic segmentation to isolate XLAT translation workloads from critical network paths
# Disable GRO on affected interface as temporary workaround
ethtool -K eth0 gro off
# Verify GRO is disabled
ethtool -k eth0 | grep generic-receive-offload
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
