In the Linux kernel, the following vulnerability has been resolved: gso: fix udp gso fraglist segmentation after pull from fraglist Detect gso fraglist skbs with corrupted geometry (see below) and pass these to skbsegment instead of skbsegmentlist, as the first can segment them correctly. Valid SKBGSOFRAGLIST skbs - consist of two or more segments - the headskb holds the protocol headers plus first gsosize - one or more fraglist skbs hold exactly one segment - all but the last must be gsosize Optional datapath hooks such as NAT and BPF (bpfskbpulldata) can modify these skbs, breaking these invariants. In extreme cases they pull all data into skb linear. For UDP, this causes a NULL ptr deref in _udpv4gsosegmentlistcsum at udphdr(seg->next)->dest. Detect invalid geometry due to pull, by checking headskb size. Don't just drop, as this may blackhole a destination. Convert to be able to pass to regular skb_segment.