Skip to main content

Linux Kernel CVE-2026-53235

| EUVDEUVD-2026-39326 HIGH
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-rfp8-j4xw-2g59
7.5
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.9 MEDIUM

Network-triggerable without auth (AV:N/PR:N/UI:N) but requires a specific napi_gro_frags header-split receive condition (AC:H); impact is a kernel panic, so A:H only with C:N/I:N.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:40 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.5 (HIGH)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 09:16 cve.org
HIGH 7.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net: add pskb_may_pull() to skb_gro_receive_list()

skb_gro_receive_list() calls skb_pull(skb, skb_gro_offset(skb)) without first ensuring the data is in the linear area via pskb_may_pull(). When the skb arrives via napi_gro_frags(), skb_headlen can be 0 (all data in page fragments) while skb_gro_offset is non-zero (after IP+TCP header parsing). The skb_pull() then decrements skb->len by skb_gro_offset but skb->data_len stays unchanged, hitting BUG_ON(skb->len < skb->data_len) in __skb_pull().

The UDP fraglist GRO path already contains this guard at udp_offload.c:749. Adding it to skb_gro_receive_list() itself provides centralized protection for all callers (TCP, UDP, and any future protocols), and ensures the precondition of skb_pull() is satisfied before it is called.

On pskb_may_pull() failure, set NAPI_GRO_CB(skb)->flush = 1 so the skb is not held as a new GRO head and is instead delivered through the normal receive path, matching the UDP handling.

AnalysisAI

Remote denial-of-service in the Linux kernel networking stack (GRO path) lets attackers crash a host by triggering a reachable kernel BUG_ON() panic. The flaw lives in skb_gro_receive_list(), which calls skb_pull() without a preceding pskb_may_pull() guard; when frames arrive via napi_gro_frags() with all data in page fragments (skb_headlen == 0) and a non-zero GRO offset, the pull makes skb->len drop below skb->data_len and hits BUG_ON(skb->len < skb->data_len). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach target over network
Delivery
Send crafted fully-paged IP/TCP frames
Exploit
NIC delivers via napi_gro_frags (headlen 0)
Execution
GRO calls skb_pull past linear data
Persist
Hit BUG_ON(skb->len < skb->data_len)
Impact
Kernel panic / host DoS

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim host to receive frames through the napi_gro_frags() GRO path such that skb_headlen is 0 (all payload in paged fragments) while skb_gro_offset is non-zero after IP+TCP header parsing - i.e., GRO must be enabled and the NIC/driver must deliver header-split, fully-paged skbs. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mostly consistent and point to a real but moderate-priority DoS rather than a critical compromise. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network reachability to a vulnerable host (or a malicious peer on the same segment) sends crafted IP/TCP traffic that lands on a NIC using the napi_gro_frags() receive path, so the packet's data sits entirely in page fragments with an empty linear header area. As GRO attempts to coalesce the segments, skb_gro_receive_list() pulls past the linear data and triggers the BUG_ON kernel panic, taking the machine offline. …
Remediation Vendor-released patch: upgrade to a fixed stable kernel - 6.12.94, 6.18.36, 7.0.13, or 7.1 (or your distribution's backported equivalent), corresponding to the kernel.org stable commits 0cde3a004119db637b401c54e77536e4145fc0b4, 848571dcbbbea7ba44dd4f7ebe1fbb274afe08ac, 9e636c995b7beeb74ea882968248752821c244c4, and f2bb3434544454099a5b6dec213567267b05d79d. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running Linux kernel 6.10 or later and prioritize by business criticality. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53235 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy