CVE-2026-53235

In the Linux kernel, the following vulnerability has been resolved:

net: add pskb may pull() to skb gro receive list()

skb gro receive list() calls skb pull(skb, skb gro offset(skb)) without first ensuring the data is in the linear area via pskb may pull(). When the skb arrives via napi gro frags(), skb headlen can be 0 (all data in page fragments) while skb gro offset is non-zero (after IP+TCP header parsing). The skb pull() then decrements skb->len by skb gro offset but skb->data len stays unchanged, hitting BUG ON(skb->len < skb->data len) in skb pull().

The UDP fraglist GRO path already contains this guard at udp offload.c:749. Adding it to skb gro receive list() itself provides centralized protection for all callers (TCP, UDP, and any future protocols), and ensures the precondition of skb pull() is satisfied before it is called.

On pskb may pull() failure, set NAPI GRO CB(skb)->flush = 1 so the skb is not held as a new GRO head and is instead delivered through the normal receive path, matching the UDP handling.