Skip to main content

Linux Kernel EUVDEUVD-2026-35413

| CVE-2026-46323 HIGH
Write-what-where Condition (CWE-123)
2026-06-09 Linux GHSA-hf4r-hm8m-w52j
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local kernel UAF reachable only by a local user driving a zero-copy + GRO race, so AV:L/PR:L/UI:N with AC:H for the race; successful exploitation yields full kernel CIA impact.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
7.0 HIGH
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Red Hat
7.8 HIGH
qualitative

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 14, 2026 - 06:34 vuln.today
CVSS changed
Jun 14, 2026 - 06:22 NVD
7.8 (HIGH)
Patch available
Jun 09, 2026 - 14:01 EUVD
CVE Published
Jun 09, 2026 - 12:11 cve.org
HIGH 7.8
CVE Published
Jun 09, 2026 - 12:11 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net: gro: don't merge zcopy skbs

skb_gro_receive() can currently copy frags between the source and GRO skb, without checking the zerocopy status, and in particular the SKBFL_MANAGED_FRAG_REFS flag.

When SKBFL_MANAGED_FRAG_REFS is set, the skb doesn't hold a reference on the pages in shinfo->frags. Appending those frags to another skb's frags without fixing up the page refcount can lead to UAF.

When either the last skb in the GRO chain (the one we would append frags to) or the source skb is zerocopy, don't merge the skbs.

AnalysisAI

Use-after-free in the Linux kernel's Generic Receive Offload (GRO) networking path allows local attackers to corrupt kernel memory and potentially achieve privilege escalation or denial of service. The flaw stems from skb_gro_receive() merging fragment lists between socket buffers without honoring the SKBFL_MANAGED_FRAG_REFS zero-copy flag, leaving page refcounts inconsistent. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain local shell on Linux host
Delivery
Open zero-copy socket (MSG_ZEROCOPY/io_uring)
Exploit
Drive traffic into GRO receive path
Install
Trigger skb_gro_receive() frag merge with managed-refs skb
C2
Release zero-copy pages to dangle GRO frag pointers
Execute
Reclaim freed pages with attacker-controlled data
Impact
Escalate to kernel code execution

Vulnerability AssessmentAI

Exploitation Local code execution on the target host is required (CVSS AV:L, PR:L) - there is no remote network-only path. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 3.1 of 7.8 with AV:L/AC:L/PR:L/UI:N reflects local, low-complexity, low-privileged kernel memory corruption with full CIA impact - consistent with a kernel UAF. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local attacker with an unprivileged shell on a Linux host opens a socket using MSG_ZEROCOPY (or io_uring send-zc) and arranges traffic patterns that drive both the zero-copy send path and GRO receive aggregation against itself or a co-located process. They induce skb_gro_receive() to merge frags from a managed-refs skb into a normal GRO chain, then trigger release of the original zero-copy pages so the GRO skb retains dangling frag pointers, which they reclaim via page reuse to corrupt kernel memory and pivot to privilege escalation. …
Remediation Vendor-released patch: upgrade to Linux 6.6.142, 6.12.92, 7.0.11, or 7.1-rc5 (or later) which include the fix that makes skb_gro_receive() refuse to merge whenever the last GRO chain skb or the source skb has zero-copy frags. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Linux systems in production and development environments, documenting current kernel versions (via uname -r). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Important
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

EUVD-2026-35413 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy