CVE-2026-23095 (GCVE-0-2026-23095)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-02-06 16:33
VLAI?
Title
gue: Fix skb memleak with inner IP protocol 0.
Summary
In the Linux kernel, the following vulnerability has been resolved:
gue: Fix skb memleak with inner IP protocol 0.
syzbot reported skb memleak below. [0]
The repro generated a GUE packet with its inner protocol 0.
gue_udp_recv() returns -guehdr->proto_ctype for "resubmit"
in ip_protocol_deliver_rcu(), but this only works with
non-zero protocol number.
Let's drop such packets.
Note that 0 is a valid number (IPv6 Hop-by-Hop Option).
I think it is not practical to encap HOPOPT in GUE, so once
someone starts to complain, we could pass down a resubmit
flag pointer to distinguish two zeros from the upper layer:
* no error
* resubmit HOPOPT
[0]
BUG: memory leak
unreferenced object 0xffff888109695a00 (size 240):
comm "syz.0.17", pid 6088, jiffies 4294943096
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 40 c2 10 81 88 ff ff 00 00 00 00 00 00 00 00 .@..............
backtrace (crc a84b336f):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270
__build_skb+0x23/0x60 net/core/skbuff.c:474
build_skb+0x20/0x190 net/core/skbuff.c:490
__tun_build_skb drivers/net/tun.c:1541 [inline]
tun_build_skb+0x4a1/0xa40 drivers/net/tun.c:1636
tun_get_user+0xc12/0x2030 drivers/net/tun.c:1770
tun_chr_write_iter+0x71/0x120 drivers/net/tun.c:1999
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x45d/0x710 fs/read_write.c:686
ksys_write+0xa7/0x170 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
37dd0247797b168ad1cc7f5dbec825a1ee66535b , < 886f186328b718400dbf79e1bc8cbcbd710ab766
(git)
Affected: 37dd0247797b168ad1cc7f5dbec825a1ee66535b , < 380a82d36e37db49fd41ecc378c22fd29392e96a (git) Affected: 37dd0247797b168ad1cc7f5dbec825a1ee66535b , < 536f5bbc322eb1e175bdd1ced22b236a951c4d8f (git) Affected: 37dd0247797b168ad1cc7f5dbec825a1ee66535b , < f87b9b7a618c82e7465e872eb10e14c803871892 (git) Affected: 37dd0247797b168ad1cc7f5dbec825a1ee66535b , < ce569b389a5c78d64788a5ea94560e17fa574b35 (git) Affected: 37dd0247797b168ad1cc7f5dbec825a1ee66535b , < 5437a279804ced8088cabb945dba88a26d828f8c (git) Affected: 37dd0247797b168ad1cc7f5dbec825a1ee66535b , < 9a56796ad258786d3624eef5aefba394fc9bdded (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/fou_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "886f186328b718400dbf79e1bc8cbcbd710ab766",
"status": "affected",
"version": "37dd0247797b168ad1cc7f5dbec825a1ee66535b",
"versionType": "git"
},
{
"lessThan": "380a82d36e37db49fd41ecc378c22fd29392e96a",
"status": "affected",
"version": "37dd0247797b168ad1cc7f5dbec825a1ee66535b",
"versionType": "git"
},
{
"lessThan": "536f5bbc322eb1e175bdd1ced22b236a951c4d8f",
"status": "affected",
"version": "37dd0247797b168ad1cc7f5dbec825a1ee66535b",
"versionType": "git"
},
{
"lessThan": "f87b9b7a618c82e7465e872eb10e14c803871892",
"status": "affected",
"version": "37dd0247797b168ad1cc7f5dbec825a1ee66535b",
"versionType": "git"
},
{
"lessThan": "ce569b389a5c78d64788a5ea94560e17fa574b35",
"status": "affected",
"version": "37dd0247797b168ad1cc7f5dbec825a1ee66535b",
"versionType": "git"
},
{
"lessThan": "5437a279804ced8088cabb945dba88a26d828f8c",
"status": "affected",
"version": "37dd0247797b168ad1cc7f5dbec825a1ee66535b",
"versionType": "git"
},
{
"lessThan": "9a56796ad258786d3624eef5aefba394fc9bdded",
"status": "affected",
"version": "37dd0247797b168ad1cc7f5dbec825a1ee66535b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/fou_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.18"
},
{
"lessThan": "3.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc7",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc7",
"versionStartIncluding": "3.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngue: Fix skb memleak with inner IP protocol 0.\n\nsyzbot reported skb memleak below. [0]\n\nThe repro generated a GUE packet with its inner protocol 0.\n\ngue_udp_recv() returns -guehdr-\u003eproto_ctype for \"resubmit\"\nin ip_protocol_deliver_rcu(), but this only works with\nnon-zero protocol number.\n\nLet\u0027s drop such packets.\n\nNote that 0 is a valid number (IPv6 Hop-by-Hop Option).\n\nI think it is not practical to encap HOPOPT in GUE, so once\nsomeone starts to complain, we could pass down a resubmit\nflag pointer to distinguish two zeros from the upper layer:\n\n * no error\n * resubmit HOPOPT\n\n[0]\nBUG: memory leak\nunreferenced object 0xffff888109695a00 (size 240):\n comm \"syz.0.17\", pid 6088, jiffies 4294943096\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 40 c2 10 81 88 ff ff 00 00 00 00 00 00 00 00 .@..............\n backtrace (crc a84b336f):\n kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]\n slab_post_alloc_hook mm/slub.c:4958 [inline]\n slab_alloc_node mm/slub.c:5263 [inline]\n kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270\n __build_skb+0x23/0x60 net/core/skbuff.c:474\n build_skb+0x20/0x190 net/core/skbuff.c:490\n __tun_build_skb drivers/net/tun.c:1541 [inline]\n tun_build_skb+0x4a1/0xa40 drivers/net/tun.c:1636\n tun_get_user+0xc12/0x2030 drivers/net/tun.c:1770\n tun_chr_write_iter+0x71/0x120 drivers/net/tun.c:1999\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0x45d/0x710 fs/read_write.c:686\n ksys_write+0xa7/0x170 fs/read_write.c:738\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T16:33:16.099Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/886f186328b718400dbf79e1bc8cbcbd710ab766"
},
{
"url": "https://git.kernel.org/stable/c/380a82d36e37db49fd41ecc378c22fd29392e96a"
},
{
"url": "https://git.kernel.org/stable/c/536f5bbc322eb1e175bdd1ced22b236a951c4d8f"
},
{
"url": "https://git.kernel.org/stable/c/f87b9b7a618c82e7465e872eb10e14c803871892"
},
{
"url": "https://git.kernel.org/stable/c/ce569b389a5c78d64788a5ea94560e17fa574b35"
},
{
"url": "https://git.kernel.org/stable/c/5437a279804ced8088cabb945dba88a26d828f8c"
},
{
"url": "https://git.kernel.org/stable/c/9a56796ad258786d3624eef5aefba394fc9bdded"
}
],
"title": "gue: Fix skb memleak with inner IP protocol 0.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23095",
"datePublished": "2026-02-04T16:08:17.990Z",
"dateReserved": "2026-01-13T15:37:45.963Z",
"dateUpdated": "2026-02-06T16:33:16.099Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-23095\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-02-04T17:16:20.370\",\"lastModified\":\"2026-02-06T17:16:24.843\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ngue: Fix skb memleak with inner IP protocol 0.\\n\\nsyzbot reported skb memleak below. [0]\\n\\nThe repro generated a GUE packet with its inner protocol 0.\\n\\ngue_udp_recv() returns -guehdr-\u003eproto_ctype for \\\"resubmit\\\"\\nin ip_protocol_deliver_rcu(), but this only works with\\nnon-zero protocol number.\\n\\nLet\u0027s drop such packets.\\n\\nNote that 0 is a valid number (IPv6 Hop-by-Hop Option).\\n\\nI think it is not practical to encap HOPOPT in GUE, so once\\nsomeone starts to complain, we could pass down a resubmit\\nflag pointer to distinguish two zeros from the upper layer:\\n\\n * no error\\n * resubmit HOPOPT\\n\\n[0]\\nBUG: memory leak\\nunreferenced object 0xffff888109695a00 (size 240):\\n comm \\\"syz.0.17\\\", pid 6088, jiffies 4294943096\\n hex dump (first 32 bytes):\\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\\n 00 40 c2 10 81 88 ff ff 00 00 00 00 00 00 00 00 .@..............\\n backtrace (crc a84b336f):\\n kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]\\n slab_post_alloc_hook mm/slub.c:4958 [inline]\\n slab_alloc_node mm/slub.c:5263 [inline]\\n kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270\\n __build_skb+0x23/0x60 net/core/skbuff.c:474\\n build_skb+0x20/0x190 net/core/skbuff.c:490\\n __tun_build_skb drivers/net/tun.c:1541 [inline]\\n tun_build_skb+0x4a1/0xa40 drivers/net/tun.c:1636\\n tun_get_user+0xc12/0x2030 drivers/net/tun.c:1770\\n tun_chr_write_iter+0x71/0x120 drivers/net/tun.c:1999\\n new_sync_write fs/read_write.c:593 [inline]\\n vfs_write+0x45d/0x710 fs/read_write.c:686\\n ksys_write+0xa7/0x170 fs/read_write.c:738\\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\\n do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/380a82d36e37db49fd41ecc378c22fd29392e96a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/536f5bbc322eb1e175bdd1ced22b236a951c4d8f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/5437a279804ced8088cabb945dba88a26d828f8c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/886f186328b718400dbf79e1bc8cbcbd710ab766\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9a56796ad258786d3624eef5aefba394fc9bdded\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ce569b389a5c78d64788a5ea94560e17fa574b35\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f87b9b7a618c82e7465e872eb10e14c803871892\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…