Skip to main content

Linux CVE-2026-23254

| EUVDEUVD-2026-12884 MEDIUM
2026-03-18 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
Jun 01, 2026 - 14:22 NVD
5.5 (MEDIUM)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 18, 2026 - 18:00 euvd
EUVD-2026-12884
Analysis Generated
Mar 18, 2026 - 18:00 vuln.today
CVE Published
Mar 18, 2026 - 17:41 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net: gro: fix outer network offset

The udp GRO complete stage assumes that all the packets inserted the RX have the encapsulation flag zeroed. Such assumption is not true, as a few H/W NICs can set such flag when H/W offloading the checksum for an UDP encapsulated traffic, the tun driver can inject GSO packets with UDP encapsulation and the problematic layout can also be created via a veth based setup.

Due to the above, in the problematic scenarios, udp4_gro_complete() uses the wrong network offset (inner instead of outer) to compute the outer UDP header pseudo checksum, leading to csum validation errors later on in packet processing.

Address the issue always clearing the encapsulation flag at GRO completion time. Such flag will be set again as needed for encapsulated packets by udp_gro_complete().

AnalysisAI

A vulnerability in the Linux kernel's Generic Receive Offload (GRO) implementation for UDP traffic causes incorrect network offset calculations when processing encapsulated packets. The flaw affects all Linux kernel versions where the GRO subsystem handles UDP encapsulation, as specified in the CPE cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*. When hardware NICs, the tun driver, or veth setups inject packets with the encapsulation flag set, the udp4_gro_complete() function incorrectly computes the outer UDP header pseudo checksum using the inner network offset, leading to checksum validation failures that can disrupt packet processing and potentially cause denial of service or packet drops. No active exploitation has been reported in the wild, and no public proof-of-concept code is known to exist, though the vulnerability is triggered through normal network operations involving UDP-encapsulated traffic.

Technical ContextAI

The vulnerability resides in the Linux kernel's networking subsystem, specifically in the GRO (Generic Receive Offload) completion logic for UDP traffic. GRO is a kernel feature that coalesces multiple incoming packets into larger payloads before processing, improving throughput by reducing per-packet overhead. The affected code path is triggered when packets with the encapsulation flag set are processed through udp4_gro_complete(), which is responsible for finalizing GRO packet aggregation and computing checksums for the outer UDP header. The root cause is an assumption that all GRO-processed packets have the encapsulation flag cleared; however, modern hardware offloading capabilities, virtualization drivers (tun), and virtual networking setups (veth) can preserve or set this flag. When the flag is set, the code incorrectly uses the inner packet's network offset instead of the outer packet's offset to locate the UDP header for pseudo checksum computation. This is a logic error in packet header interpretation rather than a memory safety issue, making it a class of incorrect data processing vulnerability. The affected product is the Linux kernel across all architectures (as indicated by the wildcard CPE), with the vulnerability present in the core networking stack module.

RemediationAI

Update to a patched Linux kernel version that includes the fixes referenced in the stable kernel tree at https://git.kernel.org/stable/ (commits 9d40a85138568696387ef04cd004c64612a70874, b83557bc6f560433fe5d727e241069f8db5ba709, 2e5edb69e5d0e23ef248c56fc977039268c77a7b, or 5c2c3c38be396257a6a2e55bd601a12bb9781507). Most Linux distributions will backport these patches into their stable kernel updates within their regular release cycle; consult your distribution's security advisory for specific patched kernel versions. For users unable to immediately patch, temporarily disable UDP GRO offloading via 'ethtool -K <interface> gro off' if UDP encapsulation is not critical, though this will reduce network throughput. Systems relying on hardware checksum offloading for encapsulated UDP traffic should prioritize patching, as they are most likely to encounter the checksum validation failures this vulnerability causes.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 5.10.251-1 -
bookworm not-affected - -
bookworm (security) fixed 6.1.164-1 -
trixie fixed 6.12.73-1 -
trixie (security) fixed 6.12.74-2 -
forky fixed 6.19.6-2 -
sid fixed 6.19.8-1 -
(unstable) fixed 6.18.10-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-23254 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy