ipv4: ip_gre: make ipgre_header() robust

Summary

CVECVE-2026-23011
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-01-25 15:15:55 UTC
Updated2026-07-14 13:18:22 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: ipv4: ip_gre: make ipgre_header() robust Analog to commit db5b4e39c4e6 ("ip6_gre: make ip6gre_header() robust") Over the years, syzbot found many ways to crash the kernel in ipgre_header() [1]. This involves team or bonding drivers ability to dynamically change their dev->needed_headroom and/or dev->hard_header_len In this particular crash mld_newpack() allocated an skb with a too small reserve/headroom, and by the time mld_sendpack() was called, syzbot managed to attach an ipgre device. [1] skbuff: skb_under_panic: text:ffffffff89ea3cb7 len:2030915468 put:2030915372 head:ffff888058b43000 data:ffff887fdfa6e194 tail:0x120 end:0x6c0 dev:team0 kernel BUG at net/core/skbuff.c:213 ! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 1 UID: 0 PID: 1322 Comm: kworker/1:9 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Workqueue: mld mld_ifc_work RIP: 0010:skb_panic+0x157/0x160 net/core/skbuff.c:213 Call Trace: <TASK> skb_under_panic net/core/skbuff.c:223 [inline] skb_push+0xc3/0xe0 net/core/skbuff.c:2641 ipgre_header+0x67/0x290 net/ipv4/ip_gre.c:897 dev_hard_header include/linux/netdevice.h:3436 [inline] neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618 NF_HOOK_COND include/linux/netfilter.h:307 [inline] ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247 NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318 mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855 mld_send_cr net/ipv6/mcast.c:2154 [inline] mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693 process_one_work kernel/workqueue.c:3257 [inline] process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246

Risk And Classification

Primary CVSS: v3.1 5.5 MEDIUM from [email protected]

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Problem Types: NVD-CWE-noinfo

CVSS v3.1 Breakdown

Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Operating System Linux Linux Kernel All All All All

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected c54419321455631079c7d6e60bc732dd0c5914c5 eeb9a521de40c6fadccc12fa5205e5a1b364d5a8 git Not specified
CNA Linux Linux affected c54419321455631079c7d6e60bc732dd0c5914c5 8d5b6b2d79c1c22a5b0db1187a6439dff375a022 git Not specified
CNA Linux Linux affected c54419321455631079c7d6e60bc732dd0c5914c5 2ecf0aa7cc262472a9599cc51ba02ada0897a17a git Not specified
CNA Linux Linux affected c54419321455631079c7d6e60bc732dd0c5914c5 06fe0801396a36cab865b34f666de1d65bc5ce8e git Not specified
CNA Linux Linux affected c54419321455631079c7d6e60bc732dd0c5914c5 aa57bfea4674e6da8104fa3a37760a6f5f255dad git Not specified
CNA Linux Linux affected c54419321455631079c7d6e60bc732dd0c5914c5 554201ed0a8f4d32e719f42caeaeb2735a9ed6ca git Not specified
CNA Linux Linux affected c54419321455631079c7d6e60bc732dd0c5914c5 e67c577d89894811ce4dcd1a9ed29d8b63476667 git Not specified
CNA Linux Linux affected 3.10 Not specified
CNA Linux Linux unaffected 3.10 semver Not specified
CNA Linux Linux unaffected 5.10.249 5.10.* semver Not specified
CNA Linux Linux unaffected 5.15.199 5.15.* semver Not specified
CNA Linux Linux unaffected 6.1.162 6.1.* semver Not specified
CNA Linux Linux unaffected 6.6.122 6.6.* semver Not specified
CNA Linux Linux unaffected 6.12.67 6.12.* semver Not specified
CNA Linux Linux unaffected 6.18.7 6.18.* semver Not specified
CNA Linux Linux unaffected 6.19 * original_commit_for_fix Not specified
ADP Siemens SIMATIC S7-1500 CPU 1518-4 PN/DP MFP affected V3.1.6 * custom Not specified
ADP Siemens SIMATIC S7-1500 CPU 1518-4 PN/DP MFP affected V3.1.6 * custom Not specified
ADP Siemens SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP affected V3.1.6 * custom Not specified
ADP Siemens SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP affected V3.1.6 * custom Not specified
ADP Siemens SIPLUS S7-1500 CPU 1518-4 PN/DP MFP affected V3.1.6 * custom Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/e67c577d89894811ce4dcd1a9ed29d8b63476667 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/aa57bfea4674e6da8104fa3a37760a6f5f255dad 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
cert-portal.siemens.com/productcert/html/ssa-019113.html 0b142b55-0307-4c5a-b3c9-f314f3fb7c5e cert-portal.siemens.com
git.kernel.org/stable/c/eeb9a521de40c6fadccc12fa5205e5a1b364d5a8 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/8d5b6b2d79c1c22a5b0db1187a6439dff375a022 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/554201ed0a8f4d32e719f42caeaeb2735a9ed6ca 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/06fe0801396a36cab865b34f666de1d65bc5ce8e 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/2ecf0aa7cc262472a9599cc51ba02ada0897a17a 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report