CVE-2026-23016
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
31/01/2026
Last modified:
31/01/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
inet: frags: drop fraglist conntrack references<br />
<br />
Jakub added a warning in nf_conntrack_cleanup_net_list() to make debugging<br />
leaked skbs/conntrack references more obvious.<br />
<br />
syzbot reports this as triggering, and I can also reproduce this via<br />
ip_defrag.sh selftest:<br />
<br />
conntrack cleanup blocked for 60s<br />
WARNING: net/netfilter/nf_conntrack_core.c:2512<br />
[..]<br />
<br />
conntrack clenups gets stuck because there are skbs with still hold nf_conn<br />
references via their frag_list.<br />
<br />
net.core.skb_defer_max=0 makes the hang disappear.<br />
<br />
Eric Dumazet points out that skb_release_head_state() doesn&#39;t follow the<br />
fraglist.<br />
<br />
ip_defrag.sh can only reproduce this problem since<br />
commit 6471658dc66c ("udp: use skb_attempt_defer_free()"), but AFAICS this<br />
problem could happen with TCP as well if pmtu discovery is off.<br />
<br />
The relevant problem path for udp is:<br />
1. netns emits fragmented packets<br />
2. nf_defrag_v6_hook reassembles them (in output hook)<br />
3. reassembled skb is tracked (skb owns nf_conn reference)<br />
4. ip6_output refragments<br />
5. refragmented packets also own nf_conn reference (ip6_fragment<br />
calls ip6_copy_metadata())<br />
6. on input path, nf_defrag_v6_hook skips defragmentation: the<br />
fragments already have skb->nf_conn attached<br />
7. skbs are reassembled via ipv6_frag_rcv()<br />
8. skb_consume_udp -> skb_attempt_defer_free() -> skb ends up<br />
in pcpu freelist, but still has nf_conn reference.<br />
<br />
Possible solutions:<br />
1 let defrag engine drop nf_conn entry, OR<br />
2 export kick_defer_list_purge() and call it from the conntrack<br />
netns exit callback, OR<br />
3 add skb_has_frag_list() check to skb_attempt_defer_free()<br />
<br />
2 & 3 also solve ip_defrag.sh hang but share same drawback:<br />
<br />
Such reassembled skbs, queued to socket, can prevent conntrack module<br />
removal until userspace has consumed the packet. While both tcp and udp<br />
stack do call nf_reset_ct() before placing skb on socket queue, that<br />
function doesn&#39;t iterate frag_list skbs.<br />
<br />
Therefore drop nf_conn entries when they are placed in defrag queue.<br />
Keep the nf_conn entry of the first (offset 0) skb so that reassembled<br />
skb retains nf_conn entry for sake of TX path.<br />
<br />
Note that fixes tag is incorrect; it points to the commit introducing the<br />
&#39;ip_defrag.sh reproducible problem&#39;: no need to backport this patch to<br />
every stable kernel.