Bug 2479832 (CVE-2026-46323)

Summary: CVE-2026-46323 kernel: Linux kernel: Use-After-Free in net/gro due to improper handling of zerocopy skbs
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: kgrant, rhel-process-autobot, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the Linux kernel's Generic Receive Offload (GRO) networking subsystem. This vulnerability occurs when `skb_gro_receive()` attempts to merge zerocopy socket buffers (skbs) without properly managing page reference counts, specifically when the `SKBFL_MANAGED_FRAG_REFS` flag is set. An attacker could potentially exploit this to trigger a Use-After-Free (UAF) condition, which is a memory corruption vulnerability that can lead to system instability or potentially arbitrary code execution.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2479833    
Bug Blocks:    

Description OSIDB Bzimport 2026-05-19 13:49:23 UTC
In the Linux kernel, the following vulnerability has been resolved:

net: gro: don't merge zcopy skbs

skb_gro_receive() can currently copy frags between the source and GRO
skb, without checking the zerocopy status, and in particular the
SKBFL_MANAGED_FRAG_REFS flag.

When SKBFL_MANAGED_FRAG_REFS is set, the skb doesn't hold a reference
on the pages in shinfo->frags. Appending those frags to another skb's
frags without fixing up the page refcount can lead to UAF.

When either the last skb in the GRO chain (the one we would append
frags to) or the source skb is zerocopy, don't merge the skbs.

This flaw is a variant of Fragnesia (CVE-2026-46300) which targets the same fundamental mechanism through GRO frag-merge.

Comment 2 Keith Grant 2026-06-09 13:21:00 UTC
Updating comment#0 to reflect upstream report.

Comment 4 errata-xmlrpc 2026-06-22 05:04:18 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:27731 https://access.redhat.com/errata/RHSA-2026:27731

Comment 5 errata-xmlrpc 2026-06-22 05:56:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:27708 https://access.redhat.com/errata/RHSA-2026:27708

Comment 6 errata-xmlrpc 2026-06-22 06:02:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Update Services for SAP Solutions

Via RHSA-2026:27735 https://access.redhat.com/errata/RHSA-2026:27735