PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23254 Linux CVE debrief

## Summary CVE-2026-23254 is a MEDIUM-severity vulnerability in the Linux kernel's Generic Receive Offload (GRO) networking path. The flaw causes `udp4_gro_complete()` to compute the outer UDP header pseudo-checksum using the wrong (inner) network offset when the `encapsulation` flag is unexpectedly set on incoming packets. This leads to checksum validation errors during subsequent packet processing, resulting in potential denial of service (availability impact). The vulnerability is local-attack only (AV:L) with low attack complexity and requires low privileges. ## Affected Products - **Linux kernel** versions 6.6.31 through 6.6.123 (fixed in 6.6.124) - **Linux kernel** versions 6.8.10 through 6.8.x (fixed before 6.9) - **Linux kernel** versions 6.9.1 through 6.12.69 (fixed in 6.12.70) - **Linux kernel** versions 6.13 through 6.18.9 (fixed in 6.18.10) - **Linux kernel** versions 6.9 (initial release), 6.9-rc7, and 6.19-rc1 through 6.19-rc8 The vulnerability exists in the UDP GRO completion path where hardware NICs with checksum offloading, the TUN driver, or veth-based setups may set the `encapsulation` flag on packets that the GRO layer does not expect to have it set. ## Root Cause The UDP GRO complete stage incorrectly assumes that all packets inserted into the receive path have the `encapsulation` flag cleared. When this assumption is violated—by hardware NICs performing UDP-encapsulated checksum offloading, the TUN driver injecting GSO packets with UDP encapsulation, or veth configurations—the `udp4_gro_complete()` function uses the inner network header offset rather than the outer network header offset to compute the UDP pseudo-header checksum. This miscalculation propagates as checksum validation failures later in the network stack. ## Impact Successful exploitation results in **denial of service** through packet drops due to checksum validation errors. There is no confidentiality or integrity impact per the CVSS:3.1 vector (C:N/I:N/A:H). The attack requires local access to the system or the ability to inject crafted packets through local network interfaces (TUN, veth, or hardware with specific offloading behavior). ## Evidence and Timeline | **

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-18
Original CVE updated
2026-06-01
Advisory published
2026-03-18
Advisory updated
2026-06-01

Who should care

Linux system administrators, kernel maintainers, cloud infrastructure operators, and organizations running containerized or virtualized workloads on affected kernel versions. Networks utilizing hardware checksum offloading on NICs processing UDP-encapsulated traffic are at elevated risk of silent packet loss.

Technical summary

In the Linux kernel's UDP Generic Receive Offload (GRO) path, the `encapsulation` flag on `sk_buff` structures is not guaranteed to be cleared when packets enter GRO processing. Hardware NICs with UDP-encapsulated checksum offloading, the TUN driver, and veth-based setups can set this flag. When `udp4_gro_complete()` encounters such packets, it incorrectly uses the inner network header offset to compute the outer UDP pseudo-header checksum, causing validation failures. The fix clears the encapsulation flag at GRO completion time before `udp_gro_complete()` re-sets it as needed for genuinely encapsulated traffic.

Defensive priority

medium

Recommended defensive actions

  • Apply the appropriate stable kernel patch for your kernel version series: 6.6.x, 6.12.x, 6.18.x, or the relevant -stable tree
  • Upgrade to a fixed kernel version: 6.6.124 or later, 6.12.70 or later, or 6.18.10 or later
  • If immediate patching is not possible, consider disabling UDP GRO or hardware checksum offloading on affected interfaces as a temporary mitigation
  • Monitor for dropped packets or checksum errors in network counters (e.g., `ethtool -S`, `netstat -s`) that may indicate this issue is being triggered
  • Validate that virtualized or containerized environments using veth pairs or TUN devices are running patched kernels, as these configurations are explicitly identified as trigger paths

Evidence notes

The vulnerability description is sourced from the official CVE record and NVD entry. Four stable kernel patches are referenced as mitigations. The CVSS:3.1 vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H yields a base score of 5.5 (MEDIUM). The weakness is classified as NVD-CWE-noinfo. No KEV entry exists.

Official resources

2026-03-18