Skip to main content

Linux Kernel EUVDEUVD-2026-26635

| CVE-2026-43036 MEDIUM
Use of Uninitialized Resource (CWE-908)
2026-05-01 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 08, 2026 - 18:52 vuln.today
CVSS changed
May 08, 2026 - 18:52 NVD
5.5 (MEDIUM)
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26635
CVE Published
May 01, 2026 - 14:15 nvd
MEDIUM 5.5
CVE Published
May 01, 2026 - 14:15 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net: use skb_header_pointer() for TCPv4 GSO frag_off check

Syzbot reported a KMSAN uninit-value warning in gso_features_check() called from netif_skb_features() [1].

gso_features_check() reads iph->frag_off to decide whether to clear mangleid_features. Accessing the IPv4 header via ip_hdr()/inner_ip_hdr() can rely on skb header offsets that are not always safe for direct dereference on packets injected from PF_PACKET paths.

Use skb_header_pointer() for the TCPv4 frag_off check so the header read is robust whether data is already linear or needs copying.

[1] https://syzkaller.appspot.com/bug?extid=1543a7d954d9c6d00407

AnalysisAI

Linux kernel GSO feature check reads uninitialized IPv4 header data when processing packets from PF_PACKET paths, causing kernel memory disclosure or denial of service. The vulnerability affects multiple kernel versions before 6.12.81, 6.19.12, and 7.0, and requires local user access to trigger via raw packet injection.

Technical ContextAI

The vulnerability exists in the Generic Segmentation Offload (GSO) code path, specifically in gso_features_check() called from netif_skb_features(). The function attempts to read the IPv4 fragment offset field (iph->frag_off) directly via ip_hdr() or inner_ip_hdr() macros to determine whether to clear mangleid_features for offload processing. When packets arrive through PF_PACKET sockets (raw packet injection), the kernel's skb (socket buffer) header offsets may not reflect safely linearized data, allowing reads from uninitialized or out-of-bounds memory. CWE-908 (Use of Uninitialized Resource) describes this root cause. The fix uses skb_header_pointer() instead, a kernel function that safely handles both linear and non-linear skb data by copying when necessary.

RemediationAI

Update to Linux kernel version 6.12.81 or later on the stable branch, 6.19.12 or later on the 6.19 branch, or 7.0 or later on mainline. The patch replaces direct IPv4 header field access with skb_header_pointer() calls, which safely handles non-linear packet data. Users should apply updates through their distribution's kernel update mechanism (e.g., apt upgrade linux-image on Debian/Ubuntu, dnf upgrade kernel on Fedora/RHEL). The fix is backported across multiple stable kernel series, so systems should check available updates for their specific running kernel version. No configuration workarounds are applicable since the vulnerability is in core packet processing code. Restricting access to raw packet sockets (/proc/sys/net/ipv4/conf/all/rp_filter and iptables rules limiting PF_PACKET socket creation) can reduce local attack surface but is not a substitute for patching.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-26635 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy