CVE-2026-31429

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: skb: fix cross-cache free of KFENCE-allocated skb head<br /> <br /> SKB_SMALL_HEAD_CACHE_SIZE is intentionally set to a non-power-of-2<br /> value (e.g. 704 on x86_64) to avoid collisions with generic kmalloc<br /> bucket sizes. This ensures that skb_kfree_head() can reliably use<br /> skb_end_offset to distinguish skb heads allocated from<br /> skb_small_head_cache vs. generic kmalloc caches.<br /> <br /> However, when KFENCE is enabled, kfence_ksize() returns the exact<br /> requested allocation size instead of the slab bucket size. If a caller<br /> (e.g. bpf_test_init) allocates skb head data via kzalloc() and the<br /> requested size happens to equal SKB_SMALL_HEAD_CACHE_SIZE, then<br /> slab_build_skb() -&gt; ksize() returns that exact value. After subtracting<br /> skb_shared_info overhead, skb_end_offset ends up matching<br /> SKB_SMALL_HEAD_HEADROOM, causing skb_kfree_head() to incorrectly free<br /> the object to skb_small_head_cache instead of back to the original<br /> kmalloc cache, resulting in a slab cross-cache free:<br /> <br /> kmem_cache_free(skbuff_small_head): Wrong slab cache. Expected<br /> skbuff_small_head but got kmalloc-1k<br /> <br /> Fix this by always calling kfree(head) in skb_kfree_head(). This keeps<br /> the free path generic and avoids allocator-specific misclassification<br /> for KFENCE objects.