Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-46323
PUBLISHED
More InfoOfficial Page
Assigner-Linux
Assigner Org ID-416baaa9-dc9f-4396-8d5f-8c081fb06d67
View Known Exploited Vulnerability (KEV) details
Published At-09 Jun, 2026 | 12:11
Updated At-30 Jun, 2026 | 12:10
Rejected At-
▼CVE Numbering Authority (CNA)
net: gro: don't merge zcopy skbs

In the Linux kernel, the following vulnerability has been resolved: net: gro: don't merge zcopy skbs skb_gro_receive() can currently copy frags between the source and GRO skb, without checking the zerocopy status, and in particular the SKBFL_MANAGED_FRAG_REFS flag. When SKBFL_MANAGED_FRAG_REFS is set, the skb doesn't hold a reference on the pages in shinfo->frags. Appending those frags to another skb's frags without fixing up the page refcount can lead to UAF. When either the last skb in the GRO chain (the one we would append frags to) or the source skb is zerocopy, don't merge the skbs.

Affected Products
Vendor
Linux Kernel Organization, IncLinux
Product
Linux
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Program Files
  • net/core/gro.c
Default Status
unaffected
Versions
Affected
  • From 753f1ca4e1e50248a1b760c9774d6d6b354562cc before 3c6cc9f2ca65b6dd61b1af75452dc0e1cd0aad8d (git)
  • From 753f1ca4e1e50248a1b760c9774d6d6b354562cc before 1f9c828556416fbe3f49386708ce999fc4d4da06 (git)
  • From 753f1ca4e1e50248a1b760c9774d6d6b354562cc before 479084ae0e1d9cb7929cb4298d35623de189f80a (git)
  • From 753f1ca4e1e50248a1b760c9774d6d6b354562cc before e334cbf3388fd9334503a778a82d9e9f14dd2f71 (git)
  • From 753f1ca4e1e50248a1b760c9774d6d6b354562cc before 44bea2032af0425e4ce6d26a8af0ede79db49ec1 (git)
  • From 753f1ca4e1e50248a1b760c9774d6d6b354562cc before 4db79a322db8c97f7b73b8a347395ef4d685eb40 (git)
Vendor
Linux Kernel Organization, IncLinux
Product
Linux
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Program Files
  • net/core/gro.c
Default Status
affected
Versions
Affected
  • 6.0
Unaffected
  • From 0 before 6.0 (semver)
  • From 6.1.176 through 6.1.* (semver)
  • From 6.6.142 through 6.6.* (semver)
  • From 6.12.92 through 6.12.* (semver)
  • From 6.18.34 through 6.18.* (semver)
  • From 7.0.11 through 7.0.* (semver)
  • From 7.1 through * (original_commit_for_fix)
Metrics
VersionBase scoreBase severityVector
3.17.8HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 7.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://git.kernel.org/stable/c/3c6cc9f2ca65b6dd61b1af75452dc0e1cd0aad8d
N/A
https://git.kernel.org/stable/c/1f9c828556416fbe3f49386708ce999fc4d4da06
N/A
https://git.kernel.org/stable/c/479084ae0e1d9cb7929cb4298d35623de189f80a
N/A
https://git.kernel.org/stable/c/e334cbf3388fd9334503a778a82d9e9f14dd2f71
N/A
https://git.kernel.org/stable/c/44bea2032af0425e4ce6d26a8af0ede79db49ec1
N/A
https://git.kernel.org/stable/c/4db79a322db8c97f7b73b8a347395ef4d685eb40
N/A
Hyperlink: https://git.kernel.org/stable/c/3c6cc9f2ca65b6dd61b1af75452dc0e1cd0aad8d
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/1f9c828556416fbe3f49386708ce999fc4d4da06
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/479084ae0e1d9cb7929cb4298d35623de189f80a
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/e334cbf3388fd9334503a778a82d9e9f14dd2f71
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/44bea2032af0425e4ce6d26a8af0ede79db49ec1
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/4db79a322db8c97f7b73b8a347395ef4d685eb40
Resource: N/A
▼Authorized Data Publishers (ADP)
kernel: Linux kernel: Use-After-Free in net/gro due to improper handling of zerocopy skbs

A flaw was found in the Linux kernel's Generic Receive Offload (GRO) networking subsystem. This vulnerability occurs when `skb_gro_receive()` attempts to merge zerocopy socket buffers (skbs) without properly managing page reference counts, specifically when the `SKBFL_MANAGED_FRAG_REFS` flag is set. An attacker could potentially exploit this to trigger a Use-After-Free (UAF) condition, which is a memory corruption vulnerability that can lead to system instability or potentially arbitrary code execution.

Affected Products
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Enterprise Linux AppStream EUS (v. 10.0)
CPEs
  • cpe:/o:redhat:enterprise_linux_eus:10.0
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Enterprise Linux AppStream E4S (v.9.4)
CPEs
  • cpe:/a:redhat:rhel_e4s:9.4::appstream
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Enterprise Linux AppStream EUS (v.9.6)
CPEs
  • cpe:/a:redhat:rhel_eus:9.6::appstream
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Enterprise Linux BaseOS EUS (v. 10.0)
CPEs
  • cpe:/o:redhat:enterprise_linux_eus:10.0
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Enterprise Linux BaseOS E4S (v.9.4)
CPEs
  • cpe:/o:redhat:rhel_e4s:9.4::baseos
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Enterprise Linux BaseOS EUS (v.9.6)
CPEs
  • cpe:/o:redhat:rhel_eus:9.6::baseos
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)
CPEs
  • cpe:/o:redhat:enterprise_linux_eus:10.0
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat CodeReady Linux Builder EUS (v.9.6)
CPEs
  • cpe:/a:redhat:rhel_eus:9.6::crb
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)
CPEs
  • cpe:/o:redhat:enterprise_linux_eus:10.0
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Enterprise Linux Real Time for NFV E4S (v.9.4)
CPEs
  • cpe:/a:redhat:rhel_e4s:9.4::nfv
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)
CPEs
  • cpe:/a:redhat:rhel_eus:9.6::nfv
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Enterprise Linux Real Time EUS (v. 10.0)
CPEs
  • cpe:/o:redhat:enterprise_linux_eus:10.0
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Enterprise Linux Real Time E4S (v.9.4)
CPEs
  • cpe:/a:redhat:rhel_e4s:9.4::realtime
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Enterprise Linux Real Time EUS (v.9.6)
CPEs
  • cpe:/a:redhat:rhel_eus:9.6::realtime
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Enterprise Linux 10
CPEs
  • cpe:/o:redhat:enterprise_linux:10
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Enterprise Linux 9
CPEs
  • cpe:/o:redhat:enterprise_linux:9
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Enterprise Linux for NVIDIA 26
CPEs
  • cpe:/a:redhat:enterprise_linux_nvidia:
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat OpenShift Container Platform 4
CPEs
  • cpe:/a:redhat:openshift:4
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Enterprise Linux 6
CPEs
  • cpe:/o:redhat:enterprise_linux:6
Default Status
unaffected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Enterprise Linux 7
CPEs
  • cpe:/o:redhat:enterprise_linux:7
Default Status
unaffected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Enterprise Linux 8
CPEs
  • cpe:/o:redhat:enterprise_linux:8
Default Status
unaffected
Problem Types
TypeCWE IDDescription
CWECWE-123Write-what-where Condition
Type: CWE
CWE ID: CWE-123
Description: Write-what-where Condition
Metrics
VersionBase scoreBase severityVector
3.17.8HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 7.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Red Hat severity rating
value:
Important
namespace:
https://access.redhat.com/security/updates/classification/
Impacts
CAPEC IDDescription
Solutions

RHSA-2026:27731: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux BaseOS EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0), Red Hat Enterprise Linux Real Time EUS (v. 10.0), Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)

RHSA-2026:27735: Red Hat Enterprise Linux AppStream E4S (v.9.4), Red Hat Enterprise Linux BaseOS E4S (v.9.4), Red Hat Enterprise Linux Real Time E4S (v.9.4), Red Hat Enterprise Linux Real Time for NFV E4S (v.9.4)

RHSA-2026:27708: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux BaseOS EUS (v.9.6), Red Hat Enterprise Linux Real Time EUS (v.9.6), Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)

Configurations

Workarounds

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

Exploits

Credits

Timeline
EventDate
Reported to Red Hat.2026-05-19 11:49:44
Made public.2026-05-19 00:00:00
Event: Reported to Red Hat.
Date: 2026-05-19 11:49:44
Event: Made public.
Date: 2026-05-19 00:00:00
Replaced By

Rejected Reason

References
HyperlinkResource
https://access.redhat.com/security/cve/CVE-2026-46323
vdb-entry
x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2479832
issue-tracking
x_refsource_REDHAT
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46323.json
x_sadp-csaf-vex
https://access.redhat.com/errata/RHSA-2026:27731
vendor-advisory
x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:27735
vendor-advisory
x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:27708
vendor-advisory
x_refsource_REDHAT
Hyperlink: https://access.redhat.com/security/cve/CVE-2026-46323
Resource:
vdb-entry
x_refsource_REDHAT
Hyperlink: https://bugzilla.redhat.com/show_bug.cgi?id=2479832
Resource:
issue-tracking
x_refsource_REDHAT
Hyperlink: https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46323.json
Resource:
x_sadp-csaf-vex
Hyperlink: https://access.redhat.com/errata/RHSA-2026:27731
Resource:
vendor-advisory
x_refsource_REDHAT
Hyperlink: https://access.redhat.com/errata/RHSA-2026:27735
Resource:
vendor-advisory
x_refsource_REDHAT
Hyperlink: https://access.redhat.com/errata/RHSA-2026:27708
Resource:
vendor-advisory
x_refsource_REDHAT
Details not found