HIGH
fou IpProto Leak
CVE-2026-23083
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI5.4MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: fou: Don't allow 0 for FOU_ATTR_IPPROTO. fou_udp_recv() has the same problem mentioned in the previous patch. If FOU_ATTR_IPPROTO is set to 0, skb is not freed by fou_udp_recv() nor "resubmit"-ted in ip_protocol_deliver_rcu(). Let's forbid 0 for FOU_ATTR_IPPROTO.
02KernelScan AI Analysis
Risk summary
Systems using FOU (Foo-over-UDP) tunneling are vulnerable to memory exhaustion. An unprivileged user with CAP_NET_ADMIN in a user namespace can configure an invalid IP protocol value (0) that causes socket buffers to leak upon packet reception, potentially leading to system-wide denial of service through kernel memory exhaustion.
Vulnerability analysis
The FOU netlink configuration interface fails to validate the FOU_ATTR_IPPROTO attribute, allowing it to be set to 0. When packets are subsequently received on such misconfigured tunnels, fou_udp_recv() cannot process them properly because IP protocol 0 is invalid, and the socket buffers are neither freed nor resubmitted to the network stack. The fix adds input validation to reject protocol values below 1, ensuring only valid IP protocol numbers are accepted during FOU tunnel configuration.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.249 | c7498f9bc390 |
| 5.15 | 5.15.199 | 611ef4bd9c73 |
| 6.1 | 6.1.162 | 6e983789b758 |
| 6.12 | 6.12.68 | b7db31a52c38 |
| 6.18 | 6.18.8 | 9b75dff8446e |
| 6.6 | 6.6.122 | 1cc98b8887ca |
| mainline | 6.19 | 7a9bc9e3f423 |