In the Linux kernel, the following vulnerability has been resolved:
netfilter: nfnetlink_queue: do shared-unconfirmed check before segmentation
Ulrich reports a regression with nfqueue:
If an application did not set the 'FGSO' capability flag and a gso packet with an unconfirmed nfconn entry is received all packets are now dropped instead of queued, because the check happens after skbgsosegment(). In that case, we did have exclusive ownership of the skb and its associated conntrack entry. The elevated use count is due to skbclone happening via skbgso_segment().
Move the check so that its peformed vs. the aggregated packet.
Then, annotate the individual segments except the first one so we can do a 2nd check at reinject time.
For the normal case, where userspace does in-order reinjects, this avoids packet drops: first reinjected segment continues traversal and confirms entry, remaining segments observe the confirmed entry.
While at it, simplify nfctdrop_unconfirmed(): We only care about unconfirmed entries with a refcnt > 1, there is no need to special-case dying entries.
This only happens with UDP. With TCP, the only unconfirmed packet will be the TCP SYN, those aren't aggregated by GRO.
Next patch adds a udpgro test case to cover this scenario.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45859.json",
"cna_assigner": "Linux"
}