CVE-2026-43036
Awaiting Analysis Awaiting Analysis - Queue
Linux Kernel TCPv4 GSO frag_off Uninit-Value Warning

Publication date: 2026-05-01

Last updated on: 2026-05-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net: use skb_header_pointer() for TCPv4 GSO frag_off check Syzbot reported a KMSAN uninit-value warning in gso_features_check() called from netif_skb_features() [1]. gso_features_check() reads iph->frag_off to decide whether to clear mangleid_features. Accessing the IPv4 header via ip_hdr()/inner_ip_hdr() can rely on skb header offsets that are not always safe for direct dereference on packets injected from PF_PACKET paths. Use skb_header_pointer() for the TCPv4 frag_off check so the header read is robust whether data is already linear or needs copying. [1] https://syzkaller.appspot.com/bug?extid=1543a7d954d9c6d00407
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-08
Generated
2026-06-16
AI Q&A
2026-05-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-43036
EUVD
EUVD-2026-26635
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.22 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.12 (exc)
linux linux_kernel From 4.7 (inc) to 6.12.81 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-908 The product uses or accesses a resource that has not been initialized.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is in the Linux kernel's network code related to TCPv4 Generic Segmentation Offload (GSO). The issue arises because the function gso_features_check() reads the IPv4 header's frag_off field directly using ip_hdr() or inner_ip_hdr(), which can be unsafe for packets injected from PF_PACKET paths. This direct access can lead to uninitialized memory reads. The fix involves using skb_header_pointer() to safely access the TCPv4 frag_off field, ensuring the header read is robust whether the data is linear or requires copying.

Impact Analysis

This vulnerability can cause the Linux kernel to read uninitialized memory when processing certain network packets. This may lead to unpredictable behavior, potential kernel crashes, or information leakage from kernel memory, which could be exploited by an attacker to compromise system stability or security.

Mitigation Strategies

The vulnerability has been resolved in the Linux kernel by using skb_header_pointer() for the TCPv4 frag_off check to ensure safe header access. Therefore, the immediate mitigation step is to update your Linux kernel to a version that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43036. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart