CVE-2026-53235

Source
https://cve.org/CVERecord?id=CVE-2026-53235
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53235.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53235
Downstream
Published
2026-06-25T08:39:32.518Z
Modified
2026-07-08T08:13:46.617057668Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
net: add pskb_may_pull() to skb_gro_receive_list()
Details

In the Linux kernel, the following vulnerability has been resolved:

net: add pskbmaypull() to skbgroreceive_list()

skbgroreceivelist() calls skbpull(skb, skbgrooffset(skb)) without first ensuring the data is in the linear area via pskbmaypull(). When the skb arrives via napigrofrags(), skbheadlen can be 0 (all data in page fragments) while skbgrooffset is non-zero (after IP+TCP header parsing). The skbpull() then decrements skb->len by skbgrooffset but skb->datalen stays unchanged, hitting BUGON(skb->len < skb->data_len) in _skbpull().

The UDP fraglist GRO path already contains this guard at udpoffload.c:749. Adding it to skbgroreceivelist() itself provides centralized protection for all callers (TCP, UDP, and any future protocols), and ensures the precondition of skb_pull() is satisfied before it is called.

On pskbmaypull() failure, set NAPIGROCB(skb)->flush = 1 so the skb is not held as a new GRO head and is instead delivered through the normal receive path, matching the UDP handling.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53235.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
8d95dc474f85481652a0e422d2f1f079de81f63c
Fixed
9e636c995b7beeb74ea882968248752821c244c4
Fixed
0cde3a004119db637b401c54e77536e4145fc0b4
Fixed
848571dcbbbea7ba44dd4f7ebe1fbb274afe08ac
Fixed
f2bb3434544454099a5b6dec213567267b05d79d

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53235.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.10.0
Fixed
6.12.94
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.36
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.13

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53235.json"