CVE-2026-45859
Gravedad CVSS v3.1:
ALTA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
27/05/2026
Última modificación:
30/05/2026
Descripción
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
netfilter: nfnetlink_queue: do shared-unconfirmed check before segmentation<br />
<br />
Ulrich reports a regression with nfqueue:<br />
<br />
If an application did not set the &#39;F_GSO&#39; capability flag and a gso<br />
packet with an unconfirmed nf_conn entry is received all packets are<br />
now dropped instead of queued, because the check happens after<br />
skb_gso_segment(). In that case, we did have exclusive ownership<br />
of the skb and its associated conntrack entry. The elevated use<br />
count is due to skb_clone happening via skb_gso_segment().<br />
<br />
Move the check so that its peformed vs. the aggregated packet.<br />
<br />
Then, annotate the individual segments except the first one so we<br />
can do a 2nd check at reinject time.<br />
<br />
For the normal case, where userspace does in-order reinjects, this avoids<br />
packet drops: first reinjected segment continues traversal and confirms<br />
entry, remaining segments observe the confirmed entry.<br />
<br />
While at it, simplify nf_ct_drop_unconfirmed(): We only care about<br />
unconfirmed entries with a refcnt > 1, there is no need to special-case<br />
dying entries.<br />
<br />
This only happens with UDP. With TCP, the only unconfirmed packet will<br />
be the TCP SYN, those aren&#39;t aggregated by GRO.<br />
<br />
Next patch adds a udpgro test case to cover this scenario.
Impacto
Puntuación base 3.x
7.50
Gravedad 3.x
ALTA



