CVE-2026-43036 Overview
CVE-2026-43036 is a Linux kernel networking vulnerability in the Generic Segmentation Offload (GSO) path. The flaw resides in gso_features_check(), which is invoked from netif_skb_features() during transmit processing. The function reads iph->frag_off from the IPv4 header through ip_hdr() or inner_ip_hdr() to decide whether to clear mangleid_features. On packets injected through PF_PACKET sockets, the header offsets that these accessors rely on are not always safe for direct dereference, leading to an uninitialized memory read. Syzbot's KMSAN (Kernel Memory Sanitizer) instrumentation reported the issue as a uninit-value warning [CWE-908].
Critical Impact
A local user with the ability to open PF_PACKET sockets can trigger an uninitialized memory read in the kernel networking transmit path, potentially leaking kernel memory contents or enabling further exploitation primitives.
Affected Products
- Linux kernel mainline (TCPv4 GSO transmit path)
- Stable kernel branches referenced by commits cc91202f, d970341c, ddc748a3, and f7a6cd50
- Distributions shipping affected stable kernels prior to backporting the fix
Discovery Timeline
- Reported by Syzbot — KMSAN uninit-value warning surfaced in gso_features_check() (see Syzkaller bug 1543a7d954d9c6d00407)
- 2026-05-01 — CVE-2026-43036 published to NVD
- 2026-05-01 — Last updated in NVD database
Technical Details for CVE-2026-43036
Vulnerability Analysis
The defect lies in how the Linux networking stack reads the IPv4 fragment offset field during GSO feature negotiation. gso_features_check() consults iph->frag_off to determine whether the stack should preserve the IP identification field across segmentation. The accessor macros ip_hdr() and inner_ip_hdr() compute their pointer using skb->network_header, assuming the header bytes are present in the linear portion of the socket buffer.
Packets crafted and injected through PF_PACKET raw sockets do not always satisfy this assumption. The header may sit in a paged fragment, or the network_header offset may not point at fully initialized data. Dereferencing iph->frag_off in that state reads memory that KMSAN flags as uninitialized, classifying the issue as an uninitialized memory use [CWE-908].
The exploitation surface depends on whether an attacker can open AF_PACKET sockets, which typically requires CAP_NET_RAW. The EPSS score is 0.023%, reflecting low observed exploitation likelihood, but the bug is reachable from unprivileged user namespaces on systems that grant CAP_NET_RAW inside them.
Root Cause
The root cause is unsafe direct header dereference on a non-linear or partially populated sk_buff. The transmit fast path trusted ip_hdr() to return a valid, in-linear-area pointer for all packet sources, but PF_PACKET injection breaks that invariant.
Attack Vector
A local process with CAP_NET_RAW constructs a TCPv4 packet via AF_PACKET with a layout that places the IP header outside the linear skb data area or with uninitialized header bytes. Sending the packet drives the kernel through netif_skb_features() and into gso_features_check(), where the read of iph->frag_off returns uninitialized data. The fix replaces the direct dereference with skb_header_pointer(), which copies the header bytes into a local buffer when needed and returns a safe pointer regardless of the skb layout.
No public proof-of-concept beyond the Syzkaller reproducer is available. Exploitation code is therefore not reproduced here. See the upstream commits at git.kernel.org commit cc91202f and git.kernel.org commit f7a6cd50 for the patch diffs.
Detection Methods for CVE-2026-43036
Indicators of Compromise
- KMSAN or KASAN warnings referencing gso_features_check or netif_skb_features in dmesg or kernel logs
- Unexpected processes holding AF_PACKET raw sockets, especially non-root processes inside user namespaces
- Repeated transmission of malformed TCPv4 packets where the IP header is split across skb fragments
Detection Strategies
- Audit running kernel version against the fixed commits in stable branches and flag hosts running pre-patch builds
- Monitor auditd for socket(AF_PACKET, ...) syscalls correlated with non-privileged UIDs or container workloads
- Enable KMSAN or KASAN on test fleets to surface uninitialized read warnings before production deployment
Monitoring Recommendations
- Forward kernel ring buffer messages to a centralized log pipeline and alert on BUG: or KMSAN strings tied to networking symbols
- Track CAP_NET_RAW capability grants in container runtime configurations and Kubernetes pod specs
- Baseline expected AF_PACKET socket users so anomalous openers stand out in EDR telemetry
How to Mitigate CVE-2026-43036
Immediate Actions Required
- Apply the upstream patch that switches the TCPv4 frag_off read to skb_header_pointer() in gso_features_check()
- Rebuild and redeploy custom kernels using the commits referenced in the NVD entry
- Restrict CAP_NET_RAW in container and user-namespace configurations until patched kernels are in place
Patch Information
The fix is committed across multiple stable branches. Reference patches: commit cc91202f, commit d970341c, commit ddc748a3, and commit f7a6cd50. Pull the vendor kernel update from your distribution once the backport is published.
Workarounds
- Drop CAP_NET_RAW from unprivileged users and container security contexts using seccomp or capability bounding sets
- Disable user namespaces for untrusted workloads where AF_PACKET access would otherwise be granted indirectly
- Apply seccomp filters that block the socket(AF_PACKET, ...) syscall for workloads that do not require raw networking
# Restrict AF_PACKET access for non-root users via sysctl on supported kernels
sysctl -w kernel.unprivileged_userns_clone=0
# Drop CAP_NET_RAW from a systemd service
# /etc/systemd/system/<service>.service.d/override.conf
# [Service]
# CapabilityBoundingSet=~CAP_NET_RAW
# AmbientCapabilities=
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
