CVE-2026-23095
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2026-02-04

Last updated on: 2026-04-03

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: gue: Fix skb memleak with inner IP protocol 0. syzbot reported skb memleak below. [0] The repro generated a GUE packet with its inner protocol 0. gue_udp_recv() returns -guehdr->proto_ctype for "resubmit" in ip_protocol_deliver_rcu(), but this only works with non-zero protocol number. Let's drop such packets. Note that 0 is a valid number (IPv6 Hop-by-Hop Option). I think it is not practical to encap HOPOPT in GUE, so once someone starts to complain, we could pass down a resubmit flag pointer to distinguish two zeros from the upper layer: * no error * resubmit HOPOPT [0] BUG: memory leak unreferenced object 0xffff888109695a00 (size 240): comm "syz.0.17", pid 6088, jiffies 4294943096 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 40 c2 10 81 88 ff ff 00 00 00 00 00 00 00 00 .@.............. backtrace (crc a84b336f): kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] slab_post_alloc_hook mm/slub.c:4958 [inline] slab_alloc_node mm/slub.c:5263 [inline] kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270 __build_skb+0x23/0x60 net/core/skbuff.c:474 build_skb+0x20/0x190 net/core/skbuff.c:490 __tun_build_skb drivers/net/tun.c:1541 [inline] tun_build_skb+0x4a1/0xa40 drivers/net/tun.c:1636 tun_get_user+0xc12/0x2030 drivers/net/tun.c:1770 tun_chr_write_iter+0x71/0x120 drivers/net/tun.c:1999 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x45d/0x710 fs/read_write.c:686 ksys_write+0xa7/0x170 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-04
Last Modified
2026-04-03
Generated
2026-06-16
AI Q&A
2026-02-04
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23095
Affected Vendors & Products
Showing 12 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel From 5.11 (inc) to 5.15.199 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.162 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.122 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.68 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.8 (exc)
linux linux_kernel 6.19
linux linux_kernel From 3.18 (inc) to 5.10.249 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-401 The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a memory leak in the Linux kernel related to the Generic UDP Encapsulation (GUE) protocol handling. Specifically, when a GUE packet with an inner IP protocol number of 0 is processed, the function gue_udp_recv() returns a value that causes improper handling in ip_protocol_deliver_rcu(). This leads to a failure to properly release memory, resulting in a memory leak.

The issue arises because the code expects non-zero protocol numbers for resubmission, but protocol 0 is valid (used for IPv6 Hop-by-Hop Option). The fix involves dropping such packets to prevent the memory leak.

Impact Analysis

This vulnerability can cause a memory leak in the Linux kernel when processing certain network packets. Over time, this memory leak could lead to increased memory consumption, potentially degrading system performance or causing system instability.

In environments with high network traffic involving GUE packets with inner protocol 0, this could result in resource exhaustion, leading to denial of service or crashes.

Compliance Impact

I don't know

Detection Guidance

This vulnerability relates to a memory leak in the Linux kernel triggered by GUE packets with an inner protocol number 0. Detection would involve monitoring for memory leaks related to skb (socket buffer) allocations, especially those involving GUE packets with inner protocol 0.

Since the CVE description references a kmemleak report and a backtrace involving skb allocations, one way to detect this issue is to enable and monitor the Linux kernel's kmemleak feature, which tracks memory leaks.

Suggested commands include:

  • Enable kmemleak: echo scan > /sys/kernel/debug/kmemleak
  • Check for memory leaks: cat /sys/kernel/debug/kmemleak
  • Monitor kernel logs for BUG or memory leak messages related to skb or GUE packets using: dmesg | grep -i skb
Mitigation Strategies

The vulnerability has been resolved by dropping GUE packets with inner protocol 0 to prevent the skb memory leak.

Immediate mitigation steps include:

  • Update the Linux kernel to a version that includes the fix for this vulnerability.
  • If updating immediately is not possible, consider filtering or dropping GUE packets with inner protocol 0 at the network level to prevent triggering the vulnerability.
  • Enable kernel memory leak detection (kmemleak) to monitor for any related memory leaks.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23095. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart