CVE-2026-46323
HighCVSS 7.8Exploitation Probability (EPSS)
Low risk3th percentile - higher than 3% of all known CVEs
Summary
A vulnerability in the Linux kernel's GRO (Generic Receive Offload) mechanism allows merging zerocopy skbs (with SKBFL_MANAGED_FRAG_REFS flag) without proper page reference management. This can lead to use-after-free (UAF) by appending fragments from a zerocopy skb to another skb without updating the page refcount.
Risk Assessment
An attacker could exploit this vulnerability to access already freed kernel memory, potentially leading to privilege escalation, data leakage, or system instability.
Recommendation
Immediately update the Linux kernel to a version containing the fix that prevents merging zerocopy skbs in GRO. Check for the patch availability for your distribution and apply it.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: net: gro: don't merge zcopy skbs skb_gro_receive() can currently copy frags between the source and GRO skb, without checking the zerocopy status, and in particular the SKBFL_MANAGED_FRAG_REFS flag. When SKBFL_MANAGED_FRAG_REFS is set, the skb doesn't hold a reference on the pages in shinfo->frags. Appending those frags to another skb's frags without fixing up the page refcount can lead to UAF. When either the last skb in the GRO chain (the one we would append frags to) or the source skb is zerocopy, don't merge the skbs.

