CVE-2026-46323: Linux Kernel GRO Use-After-Free in Zerocopy Packet Handling
A vulnerability in the Linux kernel's Generic Receive Offload (GRO) handler can cause a use-after-free condition when processing zerocopy network packets. The kernel's packet reassembly logic failed to account for zerocopy buffers that don't hold traditional page references, allowing freed memory to be accessed when fragments are incorrectly merged. This affects local processes with network capabilities on vulnerable systems.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-123, CWE-416
- Affected products
- 5 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-07-15
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: net: gro: don't merge zcopy skbs skb_gro_receive() can currently copy frags between the source and GRO skb, without checking the zerocopy status, and in particular the SKBFL_MANAGED_FRAG_REFS flag. When SKBFL_MANAGED_FRAG_REFS is set, the skb doesn't hold a reference on the pages in shinfo->frags. Appending those frags to another skb's frags without fixing up the page refcount can lead to UAF. When either the last skb in the GRO chain (the one we would append frags to) or the source skb is zerocopy, don't merge the skbs.
13 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46323 exists in skb_gro_receive(), which merges incoming network packets into larger batches for performance. The function copies fragment pointers between socket buffers without validating the SKBFL_MANAGED_FRAG_REFS flag, which indicates whether the kernel or a user-space zerocopy provider owns page reference counting. When this flag is set, the source skb holds no reference to its pages—they are managed externally. Merging such fragments into a destination skb without updating refcounts creates a window where the external provider can release pages while the kernel still references them, triggering a use-after-free. The fix prevents GRO merging whenever either the source or destination skb is flagged as zerocopy.
Business impact
The vulnerability poses a moderate but real risk to production Linux systems handling high-speed network traffic with zerocopy optimizations enabled (common in telecommunications, financial networks, and high-performance computing). Successful exploitation by a local, network-capable process can crash the kernel or potentially execute arbitrary code in kernel context. Services relying on kernel stability—such as cloud platforms, network appliances, and containerized workloads—may experience unexpected downtime or security breaches if exploited.
Affected systems
All versions of the Linux kernel prior to the patch are affected. The vulnerability is most relevant to systems explicitly using zerocopy socket APIs (MSG_ZEROCOPY, AF_PACKET with PACKET_MMAP, or similar mechanisms) and running GRO-enabled network drivers, which includes virtually all modern Linux distributions in standard configurations.
Exploitability
Exploitation requires local access and the ability to send or receive network traffic with zerocopy enabled—a capability available to unprivileged processes that open sockets. The attack surface is restricted to systems where GRO is active on zerocopy-capable network paths, but the actual trigger is reliable once those conditions are met. The vulnerability is not known to be exploited in the wild as of publication, and no public proof-of-concept code is available.
Remediation
Apply kernel patches that add a check preventing GRO merging when either the source or destination skb has the SKBFL_MANAGED_FRAG_REFS flag set. This is a targeted, low-risk fix that preserves GRO performance for non-zerocopy traffic. Verify patches against the official Linux kernel security advisories and your distribution's kernel branch.
Patch guidance
Identify your kernel version using `uname -r`. Check your Linux distribution's security updates for patched kernel versions addressing CVE-2026-46323. For distributions tracking the upstream kernel, verify the commit that disables GRO merging for zerocopy skbs is included. Test the patched kernel in a staging environment to ensure network performance and stability before production rollout. Reboot systems to apply the update.
Detection guidance
Monitor for unexpected kernel panics or warnings in kernel logs (`journalctl -k`, `dmesg`) mentioning skb_gro_receive() or use-after-free conditions, which may indicate exploitation attempts. Network monitoring tools analyzing GRO statistics may show anomalies if the vulnerability is triggered. System call tracing (`strace`, BPF-based monitoring) targeting socket creation and MSG_ZEROCOPY usage can help identify risky processes, though post-exploitation detection is inherently difficult with UAF bugs.
Why prioritize this
This is a HIGH-severity local privilege escalation vector affecting kernel stability. While exploitation requires local access and specific zerocopy configuration, the scope is local (SU) and impact is severe (C:H, I:H, A:H). Organizations running high-performance networking stacks or cloud/container platforms should prioritize patching. Systems not using zerocopy APIs have lower immediate risk but should still patch as part of standard kernel maintenance.
Risk score, explained
CVSS 3.1 score of 7.8 (HIGH) reflects: local attack vector, low complexity (reliable trigger once conditions align), low privileges required (unprivileged socket access suffices), no user interaction, local scope, and high impact across confidentiality, integrity, and availability. The score appropriately captures a serious kernel vulnerability with moderate exploitability friction rather than a critical remote issue.
Frequently asked questions
Do I need to patch if we don't use zerocopy networking?
Systems not explicitly using MSG_ZEROCOPY or similar APIs are at lower risk, but the kernel still loads the vulnerable code. Patching remains recommended as part of standard security maintenance to eliminate the latent exposure and simplify compliance audits.
What is GRO and why is it enabled by default?
Generic Receive Offload is a kernel network optimization that combines small incoming packets into larger chunks before processing, reducing CPU overhead. It's enabled by default on most network drivers because it significantly improves throughput for high-speed networks. The vulnerability is a rare edge case in this critical optimization path.
Can this be exploited remotely?
No. The vulnerability requires local access to send or receive zerocopy-enabled network traffic. A remote attacker cannot trigger this directly but could potentially trigger it indirectly if the target system processes untrusted data via a local zerocopy application.
Will I notice performance degradation after patching?
No. The patch only prevents GRO merging for zerocopy packets, which represent a small subset of network traffic. Non-zerocopy packets continue to benefit from GRO, and the fix has minimal performance impact in real-world deployments.
This analysis is based on published vulnerability data and kernel source information as of the provided publication date. Specific patch versions, distribution timelines, and affected kernel branches should be verified against official Linux security advisories and your vendor's announcements. No exploit code or weaponized proofs are provided. Organizations should test patches in non-production environments before deployment. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability
- CVE-2026-10882HIGHCritical Chrome Use-After-Free RCE Vulnerability – Exploit Details & Patch Guidance