CVE-2026-23254 Overview
CVE-2026-23254 is a Linux kernel vulnerability in the Generic Receive Offload (GRO) subsystem. The flaw resides in the UDP GRO completion path, where udp4_gro_complete() incorrectly assumes that all packets reaching the receive path have the encapsulation flag cleared. When hardware NICs offload checksums for UDP-encapsulated traffic, when the tun driver injects GSO packets with UDP encapsulation, or when a veth based setup produces the problematic layout, this assumption fails. The kernel then computes the outer UDP pseudo checksum using the inner network offset, triggering checksum validation errors during packet processing.
Critical Impact
Incorrect outer network offset handling in UDP GRO causes pseudo-checksum validation failures that disrupt UDP-encapsulated network traffic processing in the Linux kernel.
Affected Products
- Linux kernel networking stack — net/ipv4/udp_offload.c GRO completion path
- Systems using hardware NICs that offload checksum for UDP-encapsulated traffic
- Environments using tun driver GSO injection or veth based encapsulation setups
Discovery Timeline
- 2026-03-18 - CVE-2026-23254 published to NVD
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2026-23254
Vulnerability Analysis
The defect lies in the Linux kernel's UDP Generic Receive Offload (GRO) completion logic. GRO aggregates incoming packets to reduce per-packet processing overhead. When the aggregated UDP packet enters the completion stage, udp4_gro_complete() recomputes the outer UDP header pseudo checksum. This computation depends on selecting the correct network header offset for the outer header.
The completion code assumed the encapsulation skb flag was always cleared on packets arriving at the receive path. That assumption does not hold across all packet sources. Several hardware NICs preserve or set the flag when offloading checksums for UDP-encapsulated traffic. The tun driver can also inject GSO packets carrying UDP encapsulation, and a veth based topology can produce the same skb layout.
When the flag remains set, udp4_gro_complete() selects the inner network offset rather than the outer offset. The pseudo checksum is then computed over the wrong headers, producing invalid checksum results and causing the packet to be dropped or mishandled later in the stack.
Root Cause
The root cause is an unsafe invariant assumption in the GRO completion path. The code did not normalize the encapsulation flag before computing the outer pseudo checksum. This is a state-handling defect [CWE-665 class] rather than a memory safety issue.
Attack Vector
The issue is primarily a correctness and reliability defect affecting UDP-encapsulated traffic such as VXLAN, GENEVE, and similar tunneling protocols. Crafted packet flows traversing affected NICs or virtual interfaces can produce checksum validation errors, disrupting tunneled connectivity. No remote code execution path is described in the upstream commit.
The fix clears the encapsulation flag at GRO completion time. The flag is then set again as needed for encapsulated packets by udp_gro_complete(). See the upstream fix at Kernel Git Commit 2e5edb6 and related stable backports.
Detection Methods for CVE-2026-23254
Indicators of Compromise
- Elevated UDP checksum error counters in /proc/net/snmp (InCsumErrors) on hosts handling encapsulated traffic
- Unexpected packet drops in VXLAN, GENEVE, or other UDP-tunneled overlays terminating on affected kernels
- Connectivity failures on veth pairs or tun interfaces carrying UDP-encapsulated GSO traffic
Detection Strategies
- Inventory Linux kernel versions across hosts and identify systems running pre-patch versions referenced in the stable commits
- Correlate NIC vendor and driver behavior — specifically NICs that offload checksum for UDP encapsulation — with kernel version data
- Monitor for tunneling protocol degradation metrics alongside kernel logs reporting checksum mismatches
Monitoring Recommendations
- Track nstat and ethtool -S counters for checksum errors on interfaces handling overlay traffic
- Capture packet traces on suspected interfaces and inspect outer UDP pseudo checksums for tunneled flows
- Alert on sustained increases in UDP InCsumErrors relative to baseline traffic volume
How to Mitigate CVE-2026-23254
Immediate Actions Required
- Identify all Linux hosts processing UDP-encapsulated traffic such as VXLAN, GENEVE, or GRE-over-UDP overlays
- Apply the upstream stable kernel updates containing the GRO outer network offset fix
- Validate connectivity and checksum counters on overlay networks after patching
Patch Information
The fix always clears the encapsulation flag at GRO completion, allowing udp_gro_complete() to set it again only when required for encapsulated packets. Apply the patches from the following upstream commits: Kernel Git Commit 2e5edb6, Kernel Git Commit 5c2c3c3, Kernel Git Commit 9d40a85, and Kernel Git Commit b83557b.
Workarounds
- Disable UDP GRO on affected interfaces using ethtool -K <iface> rx-gro-list off where applicable, accepting the throughput trade-off
- Disable hardware checksum offload for UDP-encapsulated traffic on NICs known to set the encapsulation flag
- Where feasible, route encapsulated traffic away from hosts running unpatched kernels until updates are deployed
# Example: disable GRO on an interface as a temporary workaround
ethtool -K eth0 gro off
# Verify current offload settings
ethtool -k eth0 | grep -E "generic-receive-offload|tx-checksum|rx-checksum"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
