In the Linux kernel, the following vulnerability has been resolved:
net: add pskbmaypull() to skbgroreceive_list()
skbgroreceivelist() calls skbpull(skb, skbgrooffset(skb)) without first ensuring the data is in the linear area via pskbmaypull(). When the skb arrives via napigrofrags(), skbheadlen can be 0 (all data in page fragments) while skbgrooffset is non-zero (after IP+TCP header parsing). The skbpull() then decrements skb->len by skbgrooffset but skb->datalen stays unchanged, hitting BUGON(skb->len < skb->data_len) in _skbpull().
The UDP fraglist GRO path already contains this guard at udpoffload.c:749. Adding it to skbgroreceivelist() itself provides centralized protection for all callers (TCP, UDP, and any future protocols), and ensures the precondition of skb_pull() is satisfied before it is called.
On pskbmaypull() failure, set NAPIGROCB(skb)->flush = 1 so the skb is not held as a new GRO head and is instead delivered through the normal receive path, matching the UDP handling.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53235.json",
"cna_assigner": "Linux"
}