netfilter: nfnetlink_queue: do shared-unconfirmed check before segmentation

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2026-45859
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-05-27 14:16:58 UTC
Updated2026-05-30 11:17:14 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_queue: do shared-unconfirmed check before segmentation Ulrich reports a regression with nfqueue: If an application did not set the 'F_GSO' capability flag and a gso packet with an unconfirmed nf_conn entry is received all packets are now dropped instead of queued, because the check happens after skb_gso_segment(). In that case, we did have exclusive ownership of the skb and its associated conntrack entry. The elevated use count is due to skb_clone happening via skb_gso_segment(). Move the check so that its peformed vs. the aggregated packet. Then, annotate the individual segments except the first one so we can do a 2nd check at reinject time. For the normal case, where userspace does in-order reinjects, this avoids packet drops: first reinjected segment continues traversal and confirms entry, remaining segments observe the confirmed entry. While at it, simplify nf_ct_drop_unconfirmed(): We only care about unconfirmed entries with a refcnt > 1, there is no need to special-case dying entries. This only happens with UDP. With TCP, the only unconfirmed packet will be the TCP SYN, those aren't aggregated by GRO. Next patch adds a udpgro test case to cover this scenario.

Risk And Classification

Primary CVSS: v3.1 7.5 HIGH from 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS: 0.000420000 probability, percentile 0.129270000 (date 2026-06-01)

VersionSourceTypeScoreSeverityVector
3.1416baaa9-dc9f-4396-8d5f-8c081fb06d67Secondary7.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
3.1CNADECLARED7.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected 7d8dc1c7be8d3509e8f5164dd5df64c8e34d7eeb 79b713ef4261a8ead96af4703f89d0b5f25532e2 git Not specified
CNA Linux Linux affected 7d8dc1c7be8d3509e8f5164dd5df64c8e34d7eeb 23901aa6b8a2f294c4b774436b4691f3ff863a8f git Not specified
CNA Linux Linux affected 7d8dc1c7be8d3509e8f5164dd5df64c8e34d7eeb b740e7ddd7ca0dbfeafca3f5e52717206cf28524 git Not specified
CNA Linux Linux affected 7d8dc1c7be8d3509e8f5164dd5df64c8e34d7eeb 207b3ebacb6113acaaec0d171d5307032c690004 git Not specified
CNA Linux Linux affected 6c4a0ba674f410ab99a30a16f32dac0ebfed5cd3 git Not specified
CNA Linux Linux affected 6dcc8ba8a6074bb79040f502dc66ad23a58a1c86 git Not specified
CNA Linux Linux affected 74e6eb7fd27ef1ccc68041dbc66e6d80d2e4a1a0 git Not specified
CNA Linux Linux affected 025b3326c5c409b372d0103ad30f174e55adbd1b git Not specified
CNA Linux Linux affected 5.15.166 5.16 semver Not specified
CNA Linux Linux affected 6.1.107 6.2 semver Not specified
CNA Linux Linux affected 6.6.48 6.7 semver Not specified
CNA Linux Linux affected 6.10.7 6.11 semver Not specified
CNA Linux Linux affected 6.11 Not specified
CNA Linux Linux unaffected 6.11 semver Not specified
CNA Linux Linux unaffected 6.12.75 6.12.* semver Not specified
CNA Linux Linux unaffected 6.18.14 6.18.* semver Not specified
CNA Linux Linux unaffected 6.19.4 6.19.* semver Not specified
CNA Linux Linux unaffected 7.0 * original_commit_for_fix Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/207b3ebacb6113acaaec0d171d5307032c690004 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/79b713ef4261a8ead96af4703f89d0b5f25532e2 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/23901aa6b8a2f294c4b774436b4691f3ff863a8f 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/b740e7ddd7ca0dbfeafca3f5e52717206cf28524 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report