CVE-2026-23095

Source
https://cve.org/CVERecord?id=CVE-2026-23095
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23095.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-23095
Downstream
Related
Published
2026-02-04T16:08:17.990Z
Modified
2026-07-09T18:30:00.082994125Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
gue: Fix skb memleak with inner IP protocol 0.
Details

In the Linux kernel, the following vulnerability has been resolved:

gue: Fix skb memleak with inner IP protocol 0.

syzbot reported skb memleak below. [0]

The repro generated a GUE packet with its inner protocol 0.

gueudprecv() returns -guehdr->protoctype for "resubmit" in ipprotocoldeliverrcu(), but this only works with non-zero protocol number.

Let's drop such packets.

Note that 0 is a valid number (IPv6 Hop-by-Hop Option).

I think it is not practical to encap HOPOPT in GUE, so once someone starts to complain, we could pass down a resubmit flag pointer to distinguish two zeros from the upper layer:

  • no error
  • resubmit HOPOPT

[0] BUG: memory leak unreferenced object 0xffff888109695a00 (size 240): comm "syz.0.17", pid 6088, jiffies 4294943096 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 40 c2 10 81 88 ff ff 00 00 00 00 00 00 00 00 .@.............. backtrace (crc a84b336f): kmemleakallocrecursive include/linux/kmemleak.h:44 [inline] slabpostallochook mm/slub.c:4958 [inline] slaballocnode mm/slub.c:5263 [inline] kmemcacheallocnoprof+0x3b4/0x590 mm/slub.c:5270 __buildskb+0x23/0x60 net/core/skbuff.c:474 buildskb+0x20/0x190 net/core/skbuff.c:490 __tunbuildskb drivers/net/tun.c:1541 [inline] tunbuildskb+0x4a1/0xa40 drivers/net/tun.c:1636 tungetuser+0xc12/0x2030 drivers/net/tun.c:1770 tunchrwriteiter+0x71/0x120 drivers/net/tun.c:1999 newsyncwrite fs/readwrite.c:593 [inline] vfswrite+0x45d/0x710 fs/readwrite.c:686 ksyswrite+0xa7/0x170 fs/readwrite.c:738 dosyscallx64 arch/x86/entry/syscall64.c:63 [inline] dosyscall64+0xa4/0xf80 arch/x86/entry/syscall64.c:94 entrySYSCALL64afterhwframe+0x77/0x7f

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23095.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
37dd0247797b168ad1cc7f5dbec825a1ee66535b
Fixed
886f186328b718400dbf79e1bc8cbcbd710ab766
Fixed
380a82d36e37db49fd41ecc378c22fd29392e96a
Fixed
536f5bbc322eb1e175bdd1ced22b236a951c4d8f
Fixed
f87b9b7a618c82e7465e872eb10e14c803871892
Fixed
ce569b389a5c78d64788a5ea94560e17fa574b35
Fixed
5437a279804ced8088cabb945dba88a26d828f8c
Fixed
9a56796ad258786d3624eef5aefba394fc9bdded

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23095.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.18.0
Fixed
5.10.249
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.199
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.162
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.122
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.68
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.8

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23095.json"