CVE-2026-45859
Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_queue: do shared-unconfirmed check before segmentation Ulrich reports a regression with nfqueue: If an application did not set the 'F_GSO' capability flag and a gso packet with an unconfirmed nf_conn entry is received all packets are now dropped instead of queued, because the check happens after skb_gso_segment(). In that case, we did have exclusive ownership of the skb and its associated conntrack entry. The elevated use count is due to skb_clone happening via skb_gso_segment(). Move the check so that its peformed vs. the aggregated packet. Then, annotate the individual segments except the first one so we can do a 2nd check at reinject time. For the normal case, where userspace does in-order reinjects, this avoids packet drops: first reinjected segment continues traversal and confirms entry, remaining segments observe the confirmed entry. While at it, simplify nf_ct_drop_unconfirmed(): We only care about unconfirmed entries with a refcnt > 1, there is no need to special-case dying entries. This only happens with UDP. With TCP, the only unconfirmed packet will be the TCP SYN, those aren't aggregated by GRO. Next patch adds a udpgro test case to cover this scenario.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
CVE-2026-45859 NameCVE-2026-45859 DescriptionIn the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_queue: do shared-unconfirmed check before segmentation Ulrich reports a regression with nfqueue: If an application did not set the 'F_GSO' capability flag and a gso packet with an unconfirmed nf_conn entry is received all packets are now dropped instead of queued,โฆ
CVE-2026-45859
| Name | CVE-2026-45859 |
| Description | In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_queue: do shared-unconfirmed check before segmentation Ulrich reports a regression with nfqueue: If an application did not set the 'F_GSO' capability flag and a gso packet with an unconfirmed nf_conn entry is received all packets are now dropped instead of queued, because the check happens after skb_gso_segment(). In that case, we did have exclusive ownership of the skb and its associated conntrack entry. The elevated use count is due to skb_clone happening via skb_gso_segment(). Move the check so that its peformed vs. the aggregated packet. Then, annotate the individual segments except the first one so we can do a 2nd check at reinject time. For the normal case, where userspace does in-order reinjects, this avoids packet drops: first reinjected segment continues traversal and confirms entry, remaining segments observe the confirmed entry. While at it, simplify nf_ct_drop_unconfirmed(): We only care about unconfirmed entries with a refcnt > 1, there is no need to special-case dying entries. This only happens with UDP. With TCP, the only unconfirmed packet will be the TCP SYN, those aren't aggregated by GRO. Next patch adds a udpgro test case to cover this scenario. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| linux (PTS) | bullseye | 5.10.223-1 | fixed |
| bullseye (security) | 5.10.257-1 | fixed | |
| bookworm | 6.1.170-3 | vulnerable | |
| bookworm (security) | 6.1.172-1 | vulnerable | |
| trixie | 6.12.86-1 | fixed | |
| trixie (security) | 6.12.90-1 | fixed | |
| forky | 7.0.9-1 | fixed | |
| sid | 7.0.10-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| linux | source | bullseye | (not affected) | |||
| linux | source | trixie | 6.12.85-1 | |||
| linux | source | (unstable) | 6.18.14-1 |
Notes
[bullseye] - linux <not-affected> (Vulnerable code not present)
https://git.kernel.org/linus/207b3ebacb6113acaaec0d171d5307032c690004 (7.0-rc1)
Apply commands
[bullseye] - linux <not-affected> (Vulnerable code not present)https://git.kernel.org/linus/207b3ebacb6113acaaec0d171d5307032c690004 (7.0-rc1)OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | affected | |
| debian | bullseye | fixed | 0 |
| debian | forky | fixed | 6.18.14-1 |
| debian | sid | fixed | 6.18.14-1 |
| debian | trixie | fixed | 6.12.85-1 |
| sles | affected | |
References
- https://git.kernel.org/stable/c/79b713ef4261a8ead96af4703f89d0b5f25532e2
- https://git.kernel.org/stable/c/23901aa6b8a2f294c4b774436b4691f3ff863a8f
- https://git.kernel.org/stable/c/b740e7ddd7ca0dbfeafca3f5e52717206cf28524
- https://git.kernel.org/stable/c/207b3ebacb6113acaaec0d171d5307032c690004
- https://security-tracker.debian.org/tracker/CVE-2026-45859
- https://www.suse.com/security/cve/CVE-2026-45859.html
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.