HIGH
net/gro ZeroCopy UAF
CVE-2026-46323
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
01Description
In the Linux kernel, the following vulnerability has been resolved: net: gro: don't merge zcopy skbs skb_gro_receive() can currently copy frags between the source and GRO skb, without checking the zerocopy status, and in particular the SKBFL_MANAGED_FRAG_REFS flag. When SKBFL_MANAGED_FRAG_REFS is set, the skb doesn't hold a reference on the pages in shinfo->frags. Appending those frags to another skb's frags without fixing up the page refcount can lead to UAF. When either the last skb in the GRO chain (the one we would append frags to) or the source skb is zerocopy, don't merge the skbs.
02KernelScan AI Analysis
Risk summary
Local attackers with low privileges can trigger use-after-free in the kernel's Generic Receive Offload (GRO) code by exploiting improper handling of zero-copy socket buffers. This can lead to kernel memory corruption, privilege escalation, or system crashes on systems that process network traffic with GRO enabled.
Vulnerability analysis
The vulnerability occurs in skb_gro_receive() which merges socket buffers during Generic Receive Offload processing. When SKBFL_MANAGED_FRAG_REFS is set on zero-copy skbs, the kernel doesn't hold page references for fragment data. The original code copied fragments between skbs without checking this flag, leading to use-after-free when pages are freed while still referenced. The fix prevents merging of any zero-copy skbs by checking skb_zcopy() on both source and destination skbs and returning -ETOOMANYREFS to abort the merge. This is reachable through network socket operations that can trigger GRO processing.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.92 | 479084ae0e1d |
| 6.18 | 6.18.34 | e334cbf3388f |
| 6.6 | 6.6.142 | 1f9c82855641 |
| 7.0 | 7.0.11 | 44bea2032af0 |
| mainline | 7.1-rc5 | 4db79a322db8 |