CVE Catalog

CVE-2026-53091

HighCVSS 8.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.12%

2th percentile — higher than 2% of all known CVEs

Summary

A vulnerability was found in the Linux kernel's qdisc_pkt_len_segs_init() function, which did not ensure that GSO packet headers are in the skb->head buffer. This can lead to incorrect behavior of network drivers expecting headers in this buffer and allow an attacker to send malicious packets causing system crashes.

Risk Assessment

The organization is exposed to denial-of-service (DoS) attacks via specially crafted GSO packets that can cause kernel crashes or unpredictable behavior of network drivers.

Recommendation

Immediately update the Linux kernel to a version containing the fix (commit with the solution). Monitor systems for unusual network traffic and apply packet filtering rules.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: net: pull headers in qdisc_pkt_len_segs_init() Most ndo_start_xmit() methods expects headers of gso packets to be already in skb->head. net/core/tso.c users are particularly at risk, because tso_build_hdr() does a memcpy(hdr, skb->data, hdr_len); qdisc_pkt_len_segs_init() already does a dissection of gso packets. Use pskb_may_pull() instead of skb_header_pointer() to make sure drivers do not have to reimplement this. Some malicious packets could be fed, detect them so that we can drop them sooner with a new SKB_DROP_REASON_SKB_BAD_GSO drop_reason.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS