CVE-2026-46323 Overview
CVE-2026-46323 is a Linux kernel vulnerability in the Generic Receive Offload (GRO) networking subsystem. The flaw resides in skb_gro_receive(), which merges fragments between source and GRO socket buffers (skbs) without validating the zerocopy status. Specifically, the function ignores the SKBFL_MANAGED_FRAG_REFS flag, which indicates that the skb does not hold a reference on the pages stored in shinfo->frags. Appending these fragments to another skb's frag list without correcting the page reference count can result in a use-after-free (UAF) condition on the underlying memory pages.
Critical Impact
A use-after-free in the kernel networking path can lead to memory corruption, potential privilege escalation, or denial of service on affected Linux systems.
Affected Products
- Linux kernel (mainline, GRO networking subsystem)
- Stable kernel branches receiving the referenced backports
- Linux distributions shipping vulnerable kernel versions prior to the fix commits
Discovery Timeline
- 2026-06-09 - CVE-2026-46323 published to NVD
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2026-46323
Vulnerability Analysis
The Linux kernel uses GRO to coalesce incoming network packets into larger skbs before passing them up the network stack, improving throughput. The skb_gro_receive() function performs this merge by appending fragments from a source skb onto a target GRO skb. The defect is that this merge path does not inspect the shared info flags on either skb before transferring page references.
When an skb has SKBFL_MANAGED_FRAG_REFS set, ownership of the page references is managed externally rather than by the skb itself. Copying those frag entries into a second skb produces two skbs that both reference the same pages, but only one tracks ownership correctly. When the page is later freed by the original owner, the merged GRO skb retains a dangling pointer to released memory.
Root Cause
The root cause is missing validation of the zerocopy state during fragment merging. skb_gro_receive() assumes all frags are owned through normal page refcounting and does not test for SKBFL_MANAGED_FRAG_REFS on the destination tail skb or the incoming source skb. The fix avoids merging when either skb is zerocopy, preserving correct reference semantics.
Attack Vector
Exploitation requires the local host to receive network traffic that traverses the GRO path together with zerocopy skbs, such as traffic originating from MSG_ZEROCOPY senders or virtio paths that set the managed frag refs flag. An attacker able to influence packet timing and skb composition could trigger the unsafe merge, leading to a UAF on the freed pages. The vulnerability is reachable through the kernel's network receive path and does not require authenticated user interaction with a specific service.
The upstream remediation modifies skb_gro_receive() so that when either the last skb in the GRO chain or the source skb has zerocopy semantics, the merge is skipped. See the Linux kernel commit 1f9c828 and related stable backports for the implementation details.
Detection Methods for CVE-2026-46323
Indicators of Compromise
- Unexpected kernel oops, panic, or BUG: KASAN: use-after-free messages referencing skb_gro_receive, napi_gro_receive, or the network softirq path.
- Sporadic memory corruption symptoms on systems handling high-volume zerocopy traffic, such as MSG_ZEROCOPY senders, AF_XDP, or virtio-net workloads.
- Crash dumps showing freed page references retained by GRO-merged skbs.
Detection Strategies
- Audit running kernel versions against the patched commits listed in the kernel.org references to identify unpatched hosts.
- Enable KASAN on test or canary kernels to surface use-after-free conditions in the GRO path during traffic replay.
- Monitor kernel ring buffer (dmesg) and centralized log collection for networking-stack stack traces involving GRO functions.
Monitoring Recommendations
- Forward /var/log/kern.log and journalctl -k output to a centralized logging platform and alert on kernel oops or KASAN reports.
- Track kernel package versions across the fleet via configuration management and flag hosts running pre-patch kernels.
- Correlate kernel crashes with workloads using zerocopy networking features to prioritize investigation.
How to Mitigate CVE-2026-46323
Immediate Actions Required
- Inventory Linux hosts and identify kernels predating the fix commits referenced on kernel.org.
- Apply the latest stable kernel update from your distribution that incorporates the GRO zerocopy merge fix.
- Reboot affected systems after patching to load the corrected kernel image.
Patch Information
The vulnerability is resolved by upstream patches that prevent merging zerocopy skbs in skb_gro_receive(). The relevant fixes are available in the following commits: Linux kernel commit 1f9c828, commit 44bea20, commit 479084a, commit 4db79a3, and commit e334cbf. Apply the kernel package from your distribution vendor that includes these commits.
Workarounds
- Disable GRO on network interfaces handling untrusted or zerocopy-heavy traffic using ethtool -K <iface> gro off as a temporary mitigation, accepting the throughput trade-off.
- Restrict workloads that rely on MSG_ZEROCOPY or other managed-frag-ref code paths until the kernel is patched.
- Isolate vulnerable hosts on segmented networks to limit exposure to attacker-controlled traffic patterns.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
