{"id":"CVE-2026-46323","summary":"net: gro: don't merge zcopy skbs","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: gro: don't merge zcopy skbs\n\nskb_gro_receive() can currently copy frags between the source and GRO\nskb, without checking the zerocopy status, and in particular the\nSKBFL_MANAGED_FRAG_REFS flag.\n\nWhen SKBFL_MANAGED_FRAG_REFS is set, the skb doesn't hold a reference\non the pages in shinfo-\u003efrags. Appending those frags to another skb's\nfrags without fixing up the page refcount can lead to UAF.\n\nWhen either the last skb in the GRO chain (the one we would append\nfrags to) or the source skb is zerocopy, don't merge the skbs.","modified":"2026-07-10T03:53:38.835676710Z","published":"2026-06-09T12:11:15.562Z","related":["ALSA-2026:36018","SUSE-SU-2026:22276-1","SUSE-SU-2026:22277-1","SUSE-SU-2026:22278-1","SUSE-SU-2026:22279-1","SUSE-SU-2026:22280-1","SUSE-SU-2026:22281-1","SUSE-SU-2026:22282-1","SUSE-SU-2026:22283-1","SUSE-SU-2026:22288-1","SUSE-SU-2026:22383-1","SUSE-SU-2026:22384-1","SUSE-SU-2026:22385-1","SUSE-SU-2026:22386-1","SUSE-SU-2026:22387-1","SUSE-SU-2026:22388-1","SUSE-SU-2026:22389-1","SUSE-SU-2026:22390-1","SUSE-SU-2026:22391-1","SUSE-SU-2026:22396-1","SUSE-SU-2026:22397-1","SUSE-SU-2026:22398-1","SUSE-SU-2026:22399-1","SUSE-SU-2026:22400-1","SUSE-SU-2026:22401-1","SUSE-SU-2026:22402-1","SUSE-SU-2026:22403-1","SUSE-SU-2026:22404-1","SUSE-SU-2026:22405-1","SUSE-SU-2026:22406-1","SUSE-SU-2026:22407-1","SUSE-SU-2026:22408-1","SUSE-SU-2026:22409-1","SUSE-SU-2026:22410-1","SUSE-SU-2026:22411-1","SUSE-SU-2026:22412-1","SUSE-SU-2026:22413-1","SUSE-SU-2026:22414-1","SUSE-SU-2026:22415-1","SUSE-SU-2026:22416-1","SUSE-SU-2026:22417-1","SUSE-SU-2026:22418-1","SUSE-SU-2026:22419-1","SUSE-SU-2026:22420-1","SUSE-SU-2026:22421-1","SUSE-SU-2026:22425-1","SUSE-SU-2026:22426-1","SUSE-SU-2026:22427-1","SUSE-SU-2026:22428-1","SUSE-SU-2026:22461-1","SUSE-SU-2026:22462-1","SUSE-SU-2026:22463-1","SUSE-SU-2026:22464-1","SUSE-SU-2026:22465-1","SUSE-SU-2026:22466-1","SUSE-SU-2026:22467-1","SUSE-SU-2026:22468-1","SUSE-SU-2026:22469-1","SUSE-SU-2026:22470-1","SUSE-SU-2026:22471-1","SUSE-SU-2026:22472-1","SUSE-SU-2026:22473-1","SUSE-SU-2026:22474-1","SUSE-SU-2026:22475-1","SUSE-SU-2026:22476-1","SUSE-SU-2026:22478-1","SUSE-SU-2026:22479-1","SUSE-SU-2026:22480-1","SUSE-SU-2026:22481-1","SUSE-SU-2026:22482-1","SUSE-SU-2026:22483-1","SUSE-SU-2026:22484-1","SUSE-SU-2026:22485-1","SUSE-SU-2026:22486-1","SUSE-SU-2026:22487-1","SUSE-SU-2026:22488-1","SUSE-SU-2026:22489-1","SUSE-SU-2026:22490-1","SUSE-SU-2026:22491-1","SUSE-SU-2026:22507-1","SUSE-SU-2026:22508-1","SUSE-SU-2026:22509-1","SUSE-SU-2026:2494-1","SUSE-SU-2026:2496-1","SUSE-SU-2026:2500-1","SUSE-SU-2026:2503-1","SUSE-SU-2026:2511-1","SUSE-SU-2026:2518-1","SUSE-SU-2026:2520-1","SUSE-SU-2026:2532-1","SUSE-SU-2026:2549-1","SUSE-SU-2026:2553-1","SUSE-SU-2026:2559-1","SUSE-SU-2026:2567-1","SUSE-SU-2026:2571-1","SUSE-SU-2026:2588-1","SUSE-SU-2026:2592-1","SUSE-SU-2026:2594-1","SUSE-SU-2026:2601-1","SUSE-SU-2026:2603-1","SUSE-SU-2026:2607-1","SUSE-SU-2026:2608-1","SUSE-SU-2026:2610-1","openSUSE-SU-2026:11014-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46323.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/1f9c828556416fbe3f49386708ce999fc4d4da06"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3c6cc9f2ca65b6dd61b1af75452dc0e1cd0aad8d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/44bea2032af0425e4ce6d26a8af0ede79db49ec1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/479084ae0e1d9cb7929cb4298d35623de189f80a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4db79a322db8c97f7b73b8a347395ef4d685eb40"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e334cbf3388fd9334503a778a82d9e9f14dd2f71"},{"type":"WEB","url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46323.json"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:27708"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:27731"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:27735"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:36018"},{"type":"ADVISORY","url":"https://access.redhat.com/security/cve/CVE-2026-46323"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46323.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46323"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2479832"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"753f1ca4e1e50248a1b760c9774d6d6b354562cc"},{"fixed":"3c6cc9f2ca65b6dd61b1af75452dc0e1cd0aad8d"},{"fixed":"1f9c828556416fbe3f49386708ce999fc4d4da06"},{"fixed":"479084ae0e1d9cb7929cb4298d35623de189f80a"},{"fixed":"e334cbf3388fd9334503a778a82d9e9f14dd2f71"},{"fixed":"44bea2032af0425e4ce6d26a8af0ede79db49ec1"},{"fixed":"4db79a322db8c97f7b73b8a347395ef4d685eb40"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46323.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.0.0"},{"fixed":"6.1.176"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.142"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.92"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.34"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"7.0.11"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46323.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}