Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-53235

CVE-2026-53235: Linux Kernel GRO Data Pull Vulnerability

CVE-2026-53235 is a data handling flaw in the Linux kernel's skb_gro_receive_list() function that can cause a kernel BUG when processing network packets. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-53235 Overview

CVE-2026-53235 is a Linux kernel networking vulnerability in the Generic Receive Offload (GRO) path. The function skb_gro_receive_list() invokes skb_pull(skb, skb_gro_offset(skb)) without first calling pskb_may_pull() to ensure the requested data resides in the socket buffer's linear area. When a socket buffer (skb) arrives through napi_gro_frags() with all data in page fragments, skb_headlen can be zero while skb_gro_offset is non-zero, triggering the BUG_ON(skb->len < skb->data_len) assertion in __skb_pull(). The fix adds the missing precondition check and flushes the GRO state when the pull cannot proceed.

Critical Impact

Triggering the kernel BUG_ON halts the affected CPU context and results in a denial-of-service condition on systems processing GRO-eligible network traffic.

Affected Products

  • Linux kernel networking stack (net/core GRO path)
  • Affected function: skb_gro_receive_list()
  • Callers including TCP and UDP fraglist GRO paths

Discovery Timeline

  • 2026-06-25 - CVE-2026-53235 published to NVD
  • 2026-06-25 - Last updated in NVD database

Technical Details for CVE-2026-53235

Vulnerability Analysis

The defect resides in the kernel's GRO aggregation path, which merges incoming packets to reduce per-packet processing overhead. skb_gro_receive_list() advances the skb data pointer past the protocol header by calling skb_pull(skb, skb_gro_offset(skb)). The contract of skb_pull() requires the requested bytes to live in the skb's linear (head) area. When the skb originates from napi_gro_frags(), the payload is held in page fragments and skb_headlen is zero, while skb_gro_offset reflects an offset past IP and TCP headers that the GRO layer already parsed. Pulling against a zero-length linear region decrements skb->len while leaving skb->data_len unchanged, breaking the invariant skb->len >= skb->data_len and tripping the BUG_ON inside __skb_pull().

Root Cause

The root cause is a missing input validation guard before a memory layout-sensitive operation. The UDP fraglist GRO path at udp_offload.c:749 already contained an equivalent pskb_may_pull() check, but the generic helper did not. Any caller routing fragmented skbs through skb_gro_receive_list() without its own pull check could reach the faulty state.

Attack Vector

The vulnerability is reachable from the network receive path on interfaces that use napi_gro_frags() for packet ingestion. A crafted sequence of TCP or UDP segments that lands wholly in page fragments and is selected for GRO list aggregation can drive the skb into the unsafe state. Successful triggering causes a kernel BUG(), terminating the receive softirq context. No authentication is required to deliver packets to a network interface, so the impact surface includes any host accepting traffic on a GRO-enabled NIC.

The patch adds pskb_may_pull() inside skb_gro_receive_list() itself, centralizing the guard for TCP, UDP, and any future protocol users. On failure, the fix sets NAPI_GRO_CB(skb)->flush = 1 so the skb is not retained as a GRO head and is delivered through the normal receive path instead. Technical details are available in the upstream commits referenced below.

Detection Methods for CVE-2026-53235

Indicators of Compromise

  • Kernel oops or panic backtraces containing __skb_pull, skb_gro_receive_list, and napi_gro_frags frames.
  • Repeated BUG: ... skb->len < skb->data_len messages in dmesg or /var/log/kern.log correlated with network traffic spikes.
  • Unexpected NIC receive queue stalls or softirq CPU spikes followed by host reboots.

Detection Strategies

  • Monitor kernel ring buffers across Linux fleets for BUG_ON traces originating in the GRO code path.
  • Correlate kernel crash telemetry with the running kernel version to identify hosts on unpatched branches.
  • Inspect NIC drivers using napi_gro_frags() (commonly Mellanox, Intel ice/i40e, broadcom bnxt) for elevated crash frequency.

Monitoring Recommendations

  • Forward kernel.* syslog facilities to a centralized logging or SIEM platform and alert on GRO-related stack traces.
  • Track host uptime regressions and unscheduled reboots on systems exposed to untrusted network segments.
  • Validate kernel build versions through configuration management to confirm patched commit hashes are deployed.

How to Mitigate CVE-2026-53235

Immediate Actions Required

  • Identify Linux hosts running kernels that include skb_gro_receive_list() without the pskb_may_pull() guard and prioritize them for patching.
  • Apply the upstream stable kernel update containing commit 0cde3a004119db637b401c54e77536e4145fc0b4 or the equivalent vendor backport.
  • Reboot affected systems after kernel package upgrades to load the fixed image.

Patch Information

The fix is merged into the mainline and stable Linux kernel trees. The relevant commits are 0cde3a004119db637b401c54e77536e4145fc0b4, 848571dcbbbea7ba44dd4f7ebe1fbb274afe08ac, 9e636c995b7beeb74ea882968248752821c244c4, and f2bb3434544454099a5b6dec213567267b05d79d. Distribution maintainers (Red Hat, SUSE, Ubuntu, Debian, Oracle) publish backports as part of routine kernel security updates. Apply the stable kernel release that matches your supported branch.

Workarounds

  • Disable Generic Receive Offload on exposed interfaces using ethtool -K <iface> gro off as a temporary measure until patches are deployed.
  • Restrict untrusted traffic at upstream firewalls or load balancers to reduce exposure of GRO-eligible flows.
  • Where supported, switch driver receive modes that do not route packets through napi_gro_frags() to avoid the unsafe code path.
bash
# Temporarily disable GRO on a network interface until the kernel patch is applied
sudo ethtool -K eth0 gro off

# Verify the new offload state
ethtool -k eth0 | grep generic-receive-offload

# Re-enable GRO after upgrading to a patched kernel
sudo ethtool -K eth0 gro on

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.