Skip to main content

Linux Kernel CVE-2026-45859

| EUVDEUVD-2026-32325 HIGH
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-v8w5-25mx-q5r4
7.5
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 MEDIUM
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:24 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.5 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 27, 2026 - 14:16 nvd
HIGH 7.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nfnetlink_queue: do shared-unconfirmed check before segmentation

Ulrich reports a regression with nfqueue:

If an application did not set the 'F_GSO' capability flag and a gso packet with an unconfirmed nf_conn entry is received all packets are now dropped instead of queued, because the check happens after skb_gso_segment(). In that case, we did have exclusive ownership of the skb and its associated conntrack entry. The elevated use count is due to skb_clone happening via skb_gso_segment().

Move the check so that its peformed vs. the aggregated packet.

Then, annotate the individual segments except the first one so we can do a 2nd check at reinject time.

For the normal case, where userspace does in-order reinjects, this avoids packet drops: first reinjected segment continues traversal and confirms entry, remaining segments observe the confirmed entry.

While at it, simplify nf_ct_drop_unconfirmed(): We only care about unconfirmed entries with a refcnt > 1, there is no need to special-case dying entries.

This only happens with UDP. With TCP, the only unconfirmed packet will be the TCP SYN, those aren't aggregated by GRO.

Next patch adds a udpgro test case to cover this scenario.

AnalysisAI

Denial of service in the Linux kernel's netfilter nfnetlink_queue subsystem allows remote attackers to cause packet drops affecting availability when nfqueue is used without the NFQA_CFG_F_GSO capability flag. The flaw is a regression where the shared-unconfirmed conntrack check was performed after skb_gso_segment(), causing GSO UDP packets associated with unconfirmed nf_conn entries to be dropped instead of queued. EPSS is very low (0.02%) with no public exploit identified at time of analysis and no CISA KEV listing, indicating low real-world urgency despite the CVSS 7.5 availability score.

Technical ContextAI

The vulnerability lives in net/netfilter/nfnetlink_queue.c, the kernel component that hands packets to userspace queue handlers (nfqueue) for filtering decisions. When userspace does not negotiate the NFQA_CFG_F_GSO flag, the kernel must segment Generic Segmentation Offload (GSO) aggregated packets via skb_gso_segment() before queueing. That segmentation calls skb_clone(), which raises the skb and associated nf_conn (connection tracking) reference counts. The pre-existing nf_ct_drop_unconfirmed() check, intended to prevent queueing of skbs whose conntrack entry is still unconfirmed and shared, ran after segmentation - so every cloned segment appeared shared and was dropped. The fix moves the check ahead of segmentation against the aggregated skb and annotates segments so a second check at reinject time still catches genuinely shared entries. The condition only triggers for UDP (TCP SYNs, the only unconfirmed TCP packets, are not GRO-aggregated).

RemediationAI

Vendor-released patch: Linux kernel 6.12.75, 6.18.14, and 6.19.4 (per EUVD), with upstream commits 207b3eba, 23901aa6, 79b713ef, and b740e7dd available at git.kernel.org/stable/c/ - apply the distribution kernel update that incorporates these backports for the 5.15.y, 6.1.y, 6.6.y, 6.10.y, 6.12.y, 6.18.y, and 6.19.y series. As a workaround until the patch is deployed, update the nfqueue userspace handler to set the NFQA_CFG_F_GSO capability flag during configuration so the kernel queues GSO superpackets directly and bypasses the buggy segmentation path; the trade-off is that the userspace handler must then be able to parse and act on aggregated GSO skbs rather than per-segment packets. Alternatively, disable GRO on the receiving interface with 'ethtool -K <iface> gro off', accepting the per-packet CPU overhead that GRO normally amortizes. Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-45859.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-45859 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy