CVE-2026-23095 in Linux
Summary
by MITRE • 02/04/2026
In the Linux kernel, the following vulnerability has been resolved:
gue: Fix skb memleak with inner IP protocol 0.
syzbot reported skb memleak below. [0]
The repro generated a GUE packet with its inner protocol 0.
gue_udp_recv() returns -guehdr->proto_ctype for "resubmit" in ip_protocol_deliver_rcu(), but this only works with non-zero protocol number.
Let's drop such packets.
Note that 0 is a valid number (IPv6 Hop-by-Hop Option).
I think it is not practical to encap HOPOPT in GUE, so once someone starts to complain, we could pass down a resubmit flag pointer to distinguish two zeros from the upper layer:
* no error * resubmit HOPOPT
[0]
BUG: memory leak unreferenced object 0xffff888109695a00 (size 240): comm "syz.0.17", pid 6088, jiffies 4294943096 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 40 c2 10 81 88 ff ff 00 00 00 00 00 00 00 00 .@.............. backtrace (crc a84b336f): kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270 __build_skb+0x23/0x60 net/core/skbuff.c:474 build_skb+0x20/0x190 net/core/skbuff.c:490 __tun_build_skb drivers/net/tun.c:1541 [inline]
tun_build_skb+0x4a1/0xa40 drivers/net/tun.c:1636 tun_get_user+0xc12/0x2030 drivers/net/tun.c:1770 tun_chr_write_iter+0x71/0x120 drivers/net/tun.c:1999 new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x45d/0x710 fs/read_write.c:686 ksys_write+0xa7/0x170 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/03/2026
The vulnerability identified as CVE-2026-23095 affects the Linux kernel's Generic UDP Encapsulation (GUE) implementation and represents a memory leak condition that occurs when processing GUE packets with specific inner protocol values. This issue was discovered through automated testing by syzbot, which identified a pattern of unreferenced memory allocation that persisted in kernel memory. The root cause lies in how the gue_udp_recv() function handles packets where the inner IP protocol field is set to zero, which according to the IPv6 specification represents the Hop-by-Hop Options header. The function returns a negative value to indicate a "resubmit" condition, but this mechanism fails when the protocol number is zero because zero is a valid protocol identifier that should not be treated as an error condition.
The technical flaw manifests in the kernel's packet processing pipeline within the ip_protocol_deliver_rcu() context where the GUE module attempts to handle protocol zero as if it were an error condition. This misinterpretation leads to the allocation of socket buffer (skb) memory that is never properly released, creating a memory leak that can accumulate over time and potentially lead to system instability or resource exhaustion. The memory leak occurs specifically in the network subsystem where packets are processed through the TUN driver interface, as evidenced by the stack trace showing the allocation path through tun_build_skb and related functions in the network core. The vulnerability demonstrates a lack of proper protocol validation and handling for the legitimate protocol zero value, which should be treated as a valid inner protocol rather than an error condition.
The operational impact of this vulnerability extends beyond simple memory consumption, as sustained memory leaks can degrade system performance and potentially lead to denial of service conditions. Attackers could exploit this by crafting malicious GUE packets with inner protocol zero, causing the kernel to continuously allocate memory without proper cleanup. This type of vulnerability is particularly concerning in environments where the kernel handles high volumes of network traffic or where memory resources are constrained. The memory leak affects kernel memory management subsystems and can impact overall system stability, especially when combined with other memory pressure conditions. The issue represents a classic case of improper error handling and protocol interpretation that violates the principle of defensive programming in kernel space.
Mitigation strategies should focus on implementing proper validation of inner protocol values within the GUE packet processing logic to distinguish between genuine error conditions and legitimate protocol zero values. The recommended approach involves modifying the gue_udp_recv() function to explicitly check for protocol zero and handle it as a valid case rather than an error condition, while maintaining the existing resubmit functionality for other protocol values. This fix aligns with the principle of least privilege and proper resource management as outlined in the CWE-459 weakness category, which addresses improper cleanup of resources. Additionally, the solution should consider the broader context of protocol handling within the kernel network stack and ensure that similar issues do not exist in related modules. The fix should also incorporate proper testing procedures to validate that protocol zero values are correctly handled without affecting the intended resubmit functionality for other protocol numbers, following the ATT&CK technique of privilege escalation through kernel memory corruption.