HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-46323Published Modified CNA Linux

CVE-2026-46323: net: gro: don't merge zcopy skbs

In the Linux kernel, the following vulnerability has been resolved: net: gro: don't merge zcopy skbs skb_gro_receive() can currently copy frags between the source and GRO skb, without checking the zerocopy status, and in particular the SKBFL_MANAGED_FRAG_REFS flag. When SKBFL_MANAGED_FRAG_REFS is set, the skb doesn't hold a reference on the pages in shinfo->frags. Appending those frags to another skb's frags without fixing up the page refcount can lead to UAF. When either the last skb in the GRO chain (the one we would append frags to) or the source skb is zerocopy, don't merge the skbs.

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
0
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A use-after-free (UAF) vulnerability exists in the Linux kernel's Generic Receive Offload (GRO) networking subsystem. The flaw is reachable locally by any low-privilege user and arises because skb_gro_receive() can append page fragments from a zerocopy socket buffer to another buffer without correctly adjusting reference counts, leaving freed memory accessible. Successful exploitation gives an attacker full read, write, and crash capability over the kernel, enabling privilege escalation or complete system compromise. Patched-image rebuilds at the fix commits are available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream Linux kernel advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle an affected kernel or kernel modules. Any image whose kernel package version falls within the vulnerable range is flagged automatically.

Available
Triage

HarborGuard scores this CVE at 7.8 HIGH (CVSS v3.1) and weights it further against each environment's compliance policy, since local privilege escalation vulnerabilities in the kernel are frequently treated as critical in hardened or regulated deployments. Triage findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild targeting the upstream fix commits is available on HarborGuard for any image found running an affected kernel version. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically, with a median time from CVE publication to merged patch PR of around 90 minutes for high-severity issues.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network access to the target is required.

  • AuthenticationRequired

    Any low-privilege local account is sufficient to trigger the vulnerable code path; no administrative rights are needed.

  • Victim interactionNot required

    No user interaction or social engineering is required; the attacker exploits the kernel directly.

  • Attack complexityDetail

    The exploit is reliable and condition-free once local access is established; no race conditions or specific memory layout requirements are imposed.

Blast Radius

  • Reads arbitrary kernel memory, exposing credentials, cryptographic keys, and sensitive process data.
  • Writes to arbitrary kernel memory, allowing privilege escalation to root or modification of security-relevant kernel state.
  • Crashes the affected kernel, causing a full system outage and denial of service for all workloads on the host.
  • Container isolation boundaries can be broken, potentially exposing data and processes across co-located workloads on the same node.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication against all images in customer registries and CI pipelines, including internally built images that carry the Linux kernel. For environments running an affected kernel version, a patched-image rebuild at the upstream fix commits is available immediately. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image, runs regression tests, and opens a pull request against affected workloads, with a median time from publication to merged patch PR of around 90 minutes for high-severity issues. For environments where auto-remediation is not enabled, the finding is queued for manual review with full CVSS context and affected-image inventory. Given the local privilege escalation impact, teams without an immediate patch path should consider restricting unprivileged access to affected nodes and isolating sensitive workloads via network policy until a patched image is deployed.

See how HarborGuard automates this

Fix available

01f9c828556416fbe3f49386708ce999fc4d4da0644bea2032af0425e4ce6d26a8af0ede79db49ec1479084ae0e1d9cb7929cb4298d35623de189f80a4db79a322db8c97f7b73b8a347395ef4d685eb406.6.1426.12.926.18.347.0.117.1-rc5e334cbf3388fd9334503a778a82d9e9f14dd2f71
Affected packages
  • Linux / Linux
    < 1f9c828556416fbe3f49386708ce999fc4d4da06 (from 753f1ca4e1e50248a1b760c9774d6d6b354562cc) · < 479084ae0e1d9cb7929cb4298d35623de189f80a (from 753f1ca4e1e50248a1b760c9774d6d6b354562cc) · < e334cbf3388fd9334503a778a82d9e9f14dd2f71 (from 753f1ca4e1e50248a1b760c9774d6d6b354562cc) · < 44bea2032af0425e4ce6d26a8af0ede79db49ec1 (from 753f1ca4e1e50248a1b760c9774d6d6b354562cc) · < 4db79a322db8c97f7b73b8a347395ef4d685eb40 (from 753f1ca4e1e50248a1b760c9774d6d6b354562cc)
  • Linux / Linux
    6.0
    Fixed in 0, 6.6.142, 6.12.92, 6.18.34, 7.0.11, 7.1-rc5
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References