CVE-2026-53091
Received Received - Intake
BaseFortify

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net: pull headers in qdisc_pkt_len_segs_init() Most ndo_start_xmit() methods expects headers of gso packets to be already in skb->head. net/core/tso.c users are particularly at risk, because tso_build_hdr() does a memcpy(hdr, skb->data, hdr_len); qdisc_pkt_len_segs_init() already does a dissection of gso packets. Use pskb_may_pull() instead of skb_header_pointer() to make sure drivers do not have to reimplement this. Some malicious packets could be fed, detect them so that we can drop them sooner with a new SKB_DROP_REASON_SKB_BAD_GSO drop_reason.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-53091
EUVD
EUVD-2026-38959
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's network code, specifically related to how headers in Generic Segmentation Offload (GSO) packets are handled.

Some ndo_start_xmit() methods expect the headers of GSO packets to already be present in the skb->head area. However, the function tso_build_hdr() performs a memcpy operation assuming the headers are in skb->data, which can lead to issues.

The function qdisc_pkt_len_segs_init() already dissects GSO packets, but the vulnerability arises because drivers might have to reimplement header pulling incorrectly.

The fix involves using pskb_may_pull() instead of skb_header_pointer() to ensure drivers do not need to reimplement this logic, and to detect malicious packets earlier so they can be dropped with a new drop reason SKB_DROP_REASON_SKB_BAD_GSO.

Impact Analysis

This vulnerability could allow maliciously crafted network packets to be processed incorrectly by the Linux kernel's networking stack.

Such malformed packets might cause unexpected behavior in packet transmission functions, potentially leading to system instability or security issues such as denial of service or data corruption.

By detecting and dropping these malicious packets earlier, the fix reduces the risk of such impacts.

Detection Guidance

This vulnerability involves malformed GSO (Generic Segmentation Offload) packets that can be detected by monitoring for packets dropped with the new SKB_DROP_REASON_SKB_BAD_GSO drop reason.

Detection can be done by checking kernel logs or network driver statistics for occurrences of SKB_BAD_GSO drops, which indicate that malicious or malformed packets were identified and dropped.

Specific commands are not provided in the available information.

Mitigation Strategies

The vulnerability has been resolved by modifying the Linux kernel to use pskb_may_pull() instead of skb_header_pointer() to ensure proper handling of GSO packet headers.

Immediate mitigation steps include updating your Linux kernel to the fixed version that contains this patch.

No other specific mitigation steps or workarounds are provided in the available information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53091. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart