7.5

CVE-2026-45859

netfilter: nfnetlink_queue: do shared-unconfirmed check before segmentation

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nfnetlink_queue: do shared-unconfirmed check before segmentation

Ulrich reports a regression with nfqueue:

If an application did not set the 'F_GSO' capability flag and a gso
packet with an unconfirmed nf_conn entry is received all packets are
now dropped instead of queued, because the check happens after
skb_gso_segment().  In that case, we did have exclusive ownership
of the skb and its associated conntrack entry.  The elevated use
count is due to skb_clone happening via skb_gso_segment().

Move the check so that its peformed vs. the aggregated packet.

Then, annotate the individual segments except the first one so we
can do a 2nd check at reinject time.

For the normal case, where userspace does in-order reinjects, this avoids
packet drops: first reinjected segment continues traversal and confirms
entry, remaining segments observe the confirmed entry.

While at it, simplify nf_ct_drop_unconfirmed(): We only care about
unconfirmed entries with a refcnt > 1, there is no need to special-case
dying entries.

This only happens with UDP.  With TCP, the only unconfirmed packet will
be the TCP SYN, those aren't aggregated by GRO.

Next patch adds a udpgro test case to cover this scenario.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 5.15.166 < 5.16
LinuxLinux Kernel Version >= 6.1.107 < 6.2
LinuxLinux Kernel Version >= 6.6.48 < 6.7
LinuxLinux Kernel Version >= 6.10.7 < 6.11
LinuxLinux Kernel Version >= 6.11.1 < 6.12.75
LinuxLinux Kernel Version >= 6.13 < 6.18.14
LinuxLinux Kernel Version >= 6.19 < 6.19.4
LinuxLinux Kernel Version6.11 Update-
LinuxLinux Kernel Version6.11 Updaterc4
LinuxLinux Kernel Version6.11 Updaterc5
LinuxLinux Kernel Version6.11 Updaterc6
LinuxLinux Kernel Version6.11 Updaterc7
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.6% 0.438
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
416baaa9-dc9f-4396-8d5f-8c081fb06d67 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Es wurden noch keine Informationen zu CWE veröffentlicht.
https://git.kernel.org/stable/c/79b713ef4261a8ead96af4703f89d0b5f25532e2
Patch
https://git.kernel.org/stable/c/23901aa6b8a2f294c4b774436b4691f3ff863a8f
Patch
https://git.kernel.org/stable/c/b740e7ddd7ca0dbfeafca3f5e52717206cf28524
Patch
https://git.kernel.org/stable/c/207b3ebacb6113acaaec0d171d5307032c690004
Patch