2479832 – (CVE-2026-46323) CVE-2026-46323 kernel: Linux kernel: Use-After-Free in net/gro due to improper handling of zerocopy skbs

Bug 2479832 (CVE-2026-46323) - CVE-2026-46323 kernel: Linux kernel: Use-After-Free in net/gro due to improper handling of zerocopy skbs

Summary: CVE-2026-46323 kernel: Linux kernel: Use-After-Free in net/gro due to imprope...

Keywords:
Status:	NEW
Alias:	CVE-2026-46323
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2479833
Blocks:
TreeView+	depends on / blocked

Reported:	2026-05-19 13:49 UTC by OSIDB Bzimport
Modified:	2026-06-19 16:02 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-05-19 13:49:23 UTC

In the Linux kernel, the following vulnerability has been resolved:

net: gro: don't merge zcopy skbs

skb_gro_receive() can currently copy frags between the source and GRO
skb, without checking the zerocopy status, and in particular the
SKBFL_MANAGED_FRAG_REFS flag.

When SKBFL_MANAGED_FRAG_REFS is set, the skb doesn't hold a reference
on the pages in shinfo->frags. Appending those frags to another skb's
frags without fixing up the page refcount can lead to UAF.

When either the last skb in the GRO chain (the one we would append
frags to) or the source skb is zerocopy, don't merge the skbs.

This flaw is a variant of Fragnesia (CVE-2026-46300) which targets the same fundamental mechanism through GRO frag-merge.

Comment 2 Keith Grant 2026-06-09 13:21:00 UTC

Updating comment#0 to reflect upstream report.

Note You need to log in before you can comment on or make changes to this bug.