CVE-2026-53235
Received Received - Intake
Linux kernel GRO pskb_may_pull() missing check vulnerability

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net: add pskb_may_pull() to skb_gro_receive_list() skb_gro_receive_list() calls skb_pull(skb, skb_gro_offset(skb)) without first ensuring the data is in the linear area via pskb_may_pull(). When the skb arrives via napi_gro_frags(), skb_headlen can be 0 (all data in page fragments) while skb_gro_offset is non-zero (after IP+TCP header parsing). The skb_pull() then decrements skb->len by skb_gro_offset but skb->data_len stays unchanged, hitting BUG_ON(skb->len < skb->data_len) in __skb_pull(). The UDP fraglist GRO path already contains this guard at udp_offload.c:749. Adding it to skb_gro_receive_list() itself provides centralized protection for all callers (TCP, UDP, and any future protocols), and ensures the precondition of skb_pull() is satisfied before it is called. On pskb_may_pull() failure, set NAPI_GRO_CB(skb)->flush = 1 so the skb is not held as a new GRO head and is instead delivered through the normal receive path, matching the UDP handling.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53235
EUVD
EUVD-2026-39326
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux_kernel linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can cause a kernel crash due to the BUG_ON condition being triggered when skb_pull() is called improperly. Such a crash can lead to denial of service (DoS) on affected systems running the vulnerable Linux kernel, potentially disrupting network communication and system stability.

Executive Summary

This vulnerability exists in the Linux kernel's network code, specifically in the function skb_gro_receive_list(). The function calls skb_pull() without first ensuring that the data is in the linear area by using pskb_may_pull(). When a packet arrives via napi_gro_frags(), the skb_headlen can be zero while skb_gro_offset is non-zero, leading skb_pull() to decrement skb->len incorrectly without adjusting skb->data_len. This mismatch triggers a kernel bug check (BUG_ON) in __skb_pull().

The fix involves adding a call to pskb_may_pull() before skb_pull() in skb_gro_receive_list(), which ensures the data is properly prepared. If pskb_may_pull() fails, the packet is flushed and delivered through the normal receive path instead of being held as a new GRO head. This change centralizes protection for all protocols using this path, including TCP and UDP.

Mitigation Strategies

The vulnerability has been resolved by adding a check using pskb_may_pull() in skb_gro_receive_list() to ensure data is in the linear area before calling skb_pull().

To mitigate this vulnerability immediately, update your Linux kernel to a version that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53235. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart