HIGH
net/strparser SkbHead Leak
CVE-2026-46102
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
KernelScan AI7.5HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: net: strparser: fix skb_head leak in strp_abort_strp() When the stream parser is aborted, for example after a message assembly timeout, it can still hold a reference to a partially assembled message in strp->skb_head. That skb is not released in strp_abort_strp(), which leaks the partially assembled message and can be triggered repeatedly to exhaust memory. Fix this by freeing strp->skb_head and resetting the parser state in the abort path. Leave strp_stop() unchanged so final cleanup still happens in strp_done() after the work and timer have been synchronized.
02KernelScan AI Analysis
Risk summary
Remote attackers can exhaust system memory by repeatedly triggering stream parser aborts that leak partially assembled message buffers. This affects any system processing TCP streams through the kernel's stream parser, potentially causing denial of service through memory exhaustion.
Vulnerability analysis
The stream parser fails to release partially assembled messages in strp->skb_head when strp_abort_strp() is called, such as during message assembly timeouts. The fix adds proper cleanup by calling kfree_skb() and resetting parser state variables. This is remotely exploitable via TCP connections by sending malformed messages that trigger parser timeouts, with no privileges required.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.258 | d6668ce0e78d |
| 5.15 | 5.15.209 | a470ed71c906 |
| 6.1 | 6.1.175 | c2e57695ec9f |
| 6.12 | 6.12.86 | 5327dad2ffe9 |
| 6.18 | 6.18.27 | 19ca9475f18f |
| 6.6 | 6.6.140 | e9ae00490d47 |
| 7.0 | 7.0.4 | 56082f442023 |
| mainline | 7.1-rc1 | fe72340daaf1 |