CVE-2026-53091

Source
https://cve.org/CVERecord?id=CVE-2026-53091
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53091.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53091
Downstream
Published
2026-06-24T16:30:30.290Z
Modified
2026-07-08T08:07:23.539918935Z
Severity
  • 8.4 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H CVSS Calculator
Summary
net: pull headers in qdisc_pkt_len_segs_init()
Details

In the Linux kernel, the following vulnerability has been resolved:

net: pull headers in qdiscpktlensegsinit()

Most ndostartxmit() methods expects headers of gso packets to be already in skb->head.

net/core/tso.c users are particularly at risk, because tsobuildhdr() does a memcpy(hdr, skb->data, hdr_len);

qdiscpktlensegsinit() already does a dissection of gso packets.

Use pskbmaypull() instead of skbheaderpointer() to make sure drivers do not have to reimplement this.

Some malicious packets could be fed, detect them so that we can drop them sooner with a new SKBDROPREASONSKBBADGSO dropreason.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53091.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
e876f208af18b074f800656e4d1b99da75b2135f
Fixed
9d4f5c68f5ad4ab425f3ce1500c97c9f9743999a
Fixed
7fb4c19670110f052c04e1ec1d2b953b9f4f57e4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53091.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.16.0
Fixed
7.0.10

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53091.json"