CVE-2026-46323

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.

In the Linux kernel, the following vulnerability has been resolved:

net: gro: don't merge zcopy skbs

skb gro receive() can currently copy frags between the source and GRO skb, without checking the zerocopy status, and in particular the SKBFL MANAGED FRAG REFS flag.

When SKBFL MANAGED FRAG REFS is set, the skb doesn't hold a reference on the pages in shinfo->frags. Appending those frags to another skb's frags without fixing up the page refcount can lead to UAF.

When either the last skb in the GRO chain (the one we would append frags to) or the source skb is zerocopy, don't merge the skbs.

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2026-46323

Affected Products

Linux

CVE-2026-46323

Related Identifiers

Affected Products

References · 6