CVE-2026-23016

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> inet: frags: drop fraglist conntrack references<br /> <br /> Jakub added a warning in nf_conntrack_cleanup_net_list() to make debugging<br /> leaked skbs/conntrack references more obvious.<br /> <br /> syzbot reports this as triggering, and I can also reproduce this via<br /> ip_defrag.sh selftest:<br /> <br /> conntrack cleanup blocked for 60s<br /> WARNING: net/netfilter/nf_conntrack_core.c:2512<br /> [..]<br /> <br /> conntrack clenups gets stuck because there are skbs with still hold nf_conn<br /> references via their frag_list.<br /> <br /> net.core.skb_defer_max=0 makes the hang disappear.<br /> <br /> Eric Dumazet points out that skb_release_head_state() doesn&amp;#39;t follow the<br /> fraglist.<br /> <br /> ip_defrag.sh can only reproduce this problem since<br /> commit 6471658dc66c ("udp: use skb_attempt_defer_free()"), but AFAICS this<br /> problem could happen with TCP as well if pmtu discovery is off.<br /> <br /> The relevant problem path for udp is:<br /> 1. netns emits fragmented packets<br /> 2. nf_defrag_v6_hook reassembles them (in output hook)<br /> 3. reassembled skb is tracked (skb owns nf_conn reference)<br /> 4. ip6_output refragments<br /> 5. refragmented packets also own nf_conn reference (ip6_fragment<br /> calls ip6_copy_metadata())<br /> 6. on input path, nf_defrag_v6_hook skips defragmentation: the<br /> fragments already have skb-&gt;nf_conn attached<br /> 7. skbs are reassembled via ipv6_frag_rcv()<br /> 8. skb_consume_udp -&gt; skb_attempt_defer_free() -&gt; skb ends up<br /> in pcpu freelist, but still has nf_conn reference.<br /> <br /> Possible solutions:<br /> 1 let defrag engine drop nf_conn entry, OR<br /> 2 export kick_defer_list_purge() and call it from the conntrack<br /> netns exit callback, OR<br /> 3 add skb_has_frag_list() check to skb_attempt_defer_free()<br /> <br /> 2 &amp; 3 also solve ip_defrag.sh hang but share same drawback:<br /> <br /> Such reassembled skbs, queued to socket, can prevent conntrack module<br /> removal until userspace has consumed the packet. While both tcp and udp<br /> stack do call nf_reset_ct() before placing skb on socket queue, that<br /> function doesn&amp;#39;t iterate frag_list skbs.<br /> <br /> Therefore drop nf_conn entries when they are placed in defrag queue.<br /> Keep the nf_conn entry of the first (offset 0) skb so that reassembled<br /> skb retains nf_conn entry for sake of TX path.<br /> <br /> Note that fixes tag is incorrect; it points to the commit introducing the<br /> &amp;#39;ip_defrag.sh reproducible problem&amp;#39;: no need to backport this patch to<br /> every stable kernel.