HIGH Published 2026-02-04

gue Protocol Zero Leak

CVE-2026-23095

CVSS 7.5 / 10.0 NVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

KernelScan AI7.5HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: gue: Fix skb memleak with inner IP protocol 0. syzbot reported skb memleak below. [0] The repro generated a GUE packet with its inner protocol 0. gue_udp_recv() returns -guehdr->proto_ctype for "resubmit" in ip_protocol_deliver_rcu(), but this only works with non-zero protocol number. Let's drop such packets. Note that 0 is a valid number (IPv6 Hop-by-Hop Option). I think it is not practical to encap HOPOPT in GUE, so once someone starts to complain, we could pass down a resubmit flag pointer to distinguish two zeros from the upper layer: * no error * resubmit HOPOPT [0] BUG: memory leak unreferenced object 0xffff888109695a00 (size 240): comm "syz.0.17", pid 6088, jiffies 4294943096 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 40 c2 10 81 88 ff ff 00 00 00 00 00 00 00 00 .@.............. backtrace (crc a84b336f): kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] slab_post_alloc_hook mm/slub.c:4958 [inline] slab_alloc_node mm/slub.c:5263 [inline] kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270 __build_skb+0x23/0x60 net/core/skbuff.c:474 build_skb+0x20/0x190 net/core/skbuff.c:490 __tun_build_skb drivers/net/tun.c:1541 [inline] tun_build_skb+0x4a1/0xa40 drivers/net/tun.c:1636 tun_get_user+0xc12/0x2030 drivers/net/tun.c:1770 tun_chr_write_iter+0x71/0x120 drivers/net/tun.c:1999 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x45d/0x710 fs/read_write.c:686 ksys_write+0xa7/0x170 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

An attacker can cause memory exhaustion on systems with GUE enabled by sending specially crafted UDP packets with protocol field 0. Each malicious packet causes a memory leak of approximately 240 bytes. Sustained attacks could lead to system instability or denial of service through memory exhaustion.

Affectednet/ipv4/fou_core.c

Vulnerability analysis

Root Cause: The gue_udp_recv() function returns -guehdr->proto_ctype for packet resubmission in ip_protocol_deliver_rcu(), but when proto_ctype is 0, this returns 0 (success) instead of indicating resubmission. This causes the packet processing to complete successfully without proper handling, leading to the skb not being freed and resulting in a memory leak.

Attack Surface: Network-accessible via UDP packets. An attacker can craft GUE (Generic UDP Encapsulation) packets with inner protocol field set to 0 and send them to systems with GUE enabled. This requires network access to the target system but no special privileges or authentication.

Fix Mechanism: The patch adds an explicit check for proto_ctype == 0 and drops such packets immediately by jumping to the drop label. This prevents the problematic return path that causes the memory leak by ensuring packets with protocol 0 are properly freed rather than being processed through the resubmission mechanism.

03Fix Versions

Branch	Fixed in	Patch commit
5.10	5.10.249	`886f186328b7`
5.15	5.15.199	`380a82d36e37`
6.1	6.1.162	`536f5bbc322e`
6.12	6.12.68	`ce569b389a5c`
6.18	6.18.8	`5437a279804c`
6.6	6.6.122	`f87b9b7a618c`
mainline	6.19	`9a56796ad258`