CVE-2026-45859
Awaiting Analysis Awaiting Analysis - Queue
Linux Kernel Netfilter nfnetlink_queue GSO Packet Handling Flaw

Publication date: 2026-05-27

Last updated on: 2026-05-30

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_queue: do shared-unconfirmed check before segmentation Ulrich reports a regression with nfqueue: If an application did not set the 'F_GSO' capability flag and a gso packet with an unconfirmed nf_conn entry is received all packets are now dropped instead of queued, because the check happens after skb_gso_segment(). In that case, we did have exclusive ownership of the skb and its associated conntrack entry. The elevated use count is due to skb_clone happening via skb_gso_segment(). Move the check so that its peformed vs. the aggregated packet. Then, annotate the individual segments except the first one so we can do a 2nd check at reinject time. For the normal case, where userspace does in-order reinjects, this avoids packet drops: first reinjected segment continues traversal and confirms entry, remaining segments observe the confirmed entry. While at it, simplify nf_ct_drop_unconfirmed(): We only care about unconfirmed entries with a refcnt > 1, there is no need to special-case dying entries. This only happens with UDP. With TCP, the only unconfirmed packet will be the TCP SYN, those aren't aggregated by GRO. Next patch adds a udpgro test case to cover this scenario.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-30
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-45859
EUVD
EUVD-2026-32325
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux_kernel linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability relates to the Linux kernel's netfilter component, specifically the nfnetlink_queue (nfqueue) subsystem. It involves a regression where if an application does not set the 'F_GSO' capability flag and a Generic Segmentation Offload (GSO) packet with an unconfirmed connection tracking (nf_conn) entry is received, all packets are dropped instead of being queued. This happens because the check for unconfirmed entries was performed after the packet segmentation (skb_gso_segment()), causing the system to lose exclusive ownership of the packet and its connection tracking entry.

The fix moves the unconfirmed check to occur before segmentation, allowing proper handling of the aggregated packet. Additionally, individual segments (except the first) are annotated to allow a second check when reinjecting packets. This ensures that for normal in-order reinjections, the first segment confirms the connection entry and subsequent segments recognize the confirmed entry, preventing packet drops.

This issue primarily affects UDP traffic, as TCP only has unconfirmed packets during the SYN phase, which are not aggregated by GRO (Generic Receive Offload). The fix also simplifies the function nf_ct_drop_unconfirmed() by focusing only on unconfirmed entries with a reference count greater than one.

Impact Analysis

This vulnerability can cause legitimate UDP packets to be dropped unexpectedly if the application does not set the 'F_GSO' capability flag and receives GSO packets with unconfirmed connection tracking entries. This can lead to network communication disruptions, degraded application performance, or loss of data packets in affected systems.

Since the issue causes packet drops rather than unauthorized access or data leakage, the impact is primarily on network reliability and availability rather than confidentiality or integrity.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45859. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart