CVE-2026-23095

HIGH 7.5

gue: Fix skb memleak with inner IP protocol 0.

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

3th

In the Linux kernel, the following vulnerability has been resolved: gue: Fix skb memleak with inner IP protocol 0. syzbot reported skb memleak below. [0] The repro generated a GUE packet with its inner protocol 0. gue_udp_recv() returns -guehdr->proto_ctype for "resubmit" in ip_protocol_deliver_rcu(), but this only works with non-zero protocol number. Let's drop such packets. Note that 0 is a valid number (IPv6 Hop-by-Hop Option). I think it is not practical to encap HOPOPT in GUE, so once someone starts to complain, we could pass down a resubmit flag pointer to distinguish two zeros from the upper layer: * no error * resubmit HOPOPT [0] BUG: memory leak unreferenced object 0xffff888109695a00 (size 240): comm "syz.0.17", pid 6088, jiffies 4294943096 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 40 c2 10 81 88 ff ff 00 00 00 00 00 00 00 00 .@.............. backtrace (crc a84b336f): kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] slab_post_alloc_hook mm/slub.c:4958 [inline] slab_alloc_node mm/slub.c:5263 [inline] kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270 __build_skb+0x23/0x60 net/core/skbuff.c:474 build_skb+0x20/0x190 net/core/skbuff.c:490 __tun_build_skb drivers/net/tun.c:1541 [inline] tun_build_skb+0x4a1/0xa40 drivers/net/tun.c:1636 tun_get_user+0xc12/0x2030 drivers/net/tun.c:1770 tun_chr_write_iter+0x71/0x120 drivers/net/tun.c:1999 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x45d/0x710 fs/read_write.c:686 ksys_write+0xa7/0x170 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Vendor	linux
Product	linux
Ecosystems	Linux Kernel
Industries	Technology
Published	Feb 4, 2026
Last Updated	Apr 3, 2026

Stay Ahead of the Next One

Get instant alerts for linux linux

Be the first to know when new high vulnerabilities affecting linux linux are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

Linux / Linux

37dd0247797b168ad1cc7f5dbec825a1ee66535b < 886f186328b718400dbf79e1bc8cbcbd710ab766 37dd0247797b168ad1cc7f5dbec825a1ee66535b < 380a82d36e37db49fd41ecc378c22fd29392e96a 37dd0247797b168ad1cc7f5dbec825a1ee66535b < 536f5bbc322eb1e175bdd1ced22b236a951c4d8f 37dd0247797b168ad1cc7f5dbec825a1ee66535b < f87b9b7a618c82e7465e872eb10e14c803871892 37dd0247797b168ad1cc7f5dbec825a1ee66535b < ce569b389a5c78d64788a5ea94560e17fa574b35 37dd0247797b168ad1cc7f5dbec825a1ee66535b < 5437a279804ced8088cabb945dba88a26d828f8c 37dd0247797b168ad1cc7f5dbec825a1ee66535b < 9a56796ad258786d3624eef5aefba394fc9bdded

Linux / Linux

3.18

References

NVD ↗ CVE.org ↗ EPSS Data ↗

git.kernel.org: https://git.kernel.org/stable/c/886f186328b718400dbf79e1bc8cbcbd710ab766 git.kernel.org: https://git.kernel.org/stable/c/380a82d36e37db49fd41ecc378c22fd29392e96a git.kernel.org: https://git.kernel.org/stable/c/536f5bbc322eb1e175bdd1ced22b236a951c4d8f git.kernel.org: https://git.kernel.org/stable/c/f87b9b7a618c82e7465e872eb10e14c803871892 git.kernel.org: https://git.kernel.org/stable/c/ce569b389a5c78d64788a5ea94560e17fa574b35 git.kernel.org: https://git.kernel.org/stable/c/5437a279804ced8088cabb945dba88a26d828f8c git.kernel.org: https://git.kernel.org/stable/c/9a56796ad258786d3624eef5aefba394fc9bdded