PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45859 Linux CVE debrief

A regression in the Linux kernel's netfilter nfnetlink_queue subsystem causes packet drops for nfqueue applications that do not set the F_GSO capability flag. When a GSO (Generic Segmentation Offload) packet with an unconfirmed conntrack entry is received, the check for shared-unconfirmed state incorrectly occurs after skb_gso_segment() clones the packet. This elevated reference count triggers false-positive drops instead of proper queuing to userspace. The vulnerability affects UDP traffic with GRO aggregation; TCP SYN packets are not impacted as they are not aggregated by GRO. The fix moves the shared-unconfirmed check to occur against the aggregated packet before segmentation, with additional annotation of segments to enable a secondary check at reinject time.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Linux system administrators running netfilter nfqueue-based packet inspection or filtering; security vendors with nfqueue-based products; kernel maintainers tracking netfilter regressions

Technical summary

The nfnetlink_queue subsystem in the Linux kernel contains a logic error where the shared-unconfirmed conntrack check is performed after skb_gso_segment() rather than before. When GSO packets with unconfirmed nf_conn entries arrive, skb_clone via GSO segmentation elevates the reference count, causing nf_ct_drop_unconfirmed() to incorrectly drop packets instead of queuing them. The fix restructures the check order: validate the aggregated packet first, annotate segments for secondary validation at reinject time, and simplify nf_ct_drop_unconfirmed() to focus on unconfirmed entries with refcnt > 1. This ensures in-order reinjection works correctly—first segment confirms the entry, subsequent segments observe confirmed state.

Defensive priority

medium

Recommended defensive actions

  • Apply kernel patches from stable branches when available
  • Verify nfqueue applications set F_GSO capability flag if GSO handling is required
  • Monitor for kernel updates addressing netfilter nfnetlink_queue
  • Review UDP GRO/GSO packet handling in netfilter configurations

Evidence notes

Vulnerability description sourced from official CVE record published 2026-05-27. Kernel commit references provided in NVD source data. Vendor identification marked low confidence by source system due to 'Unknown Vendor' classification with 'Kernel' as domain candidate.

Official resources

2026-05-27