CVE-2026-23254 in Linux
Summary
by MITRE • 03/18/2026
In the Linux kernel, the following vulnerability has been resolved:
net: gro: fix outer network offset
The udp GRO complete stage assumes that all the packets inserted the RX have the `encapsulation` flag zeroed. Such assumption is not true, as a few H/W NICs can set such flag when H/W offloading the checksum for an UDP encapsulated traffic, the tun driver can inject GSO packets with UDP encapsulation and the problematic layout can also be created via a veth based setup.
Due to the above, in the problematic scenarios, udp4_gro_complete() uses the wrong network offset (inner instead of outer) to compute the outer UDP header pseudo checksum, leading to csum validation errors later on in packet processing.
Address the issue always clearing the encapsulation flag at GRO completion time. Such flag will be set again as needed for encapsulated packets by udp_gro_complete().
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/02/2026
The vulnerability described in CVE-2026-23254 represents a critical network processing flaw within the Linux kernel's Generic Receive Offload (GRO) implementation specifically affecting UDP packet handling. This issue manifests in the udp_gro_complete() function which is responsible for completing the GRO process for UDP packets received through the network stack. The core problem stems from an incorrect assumption made by the kernel's network subsystem during packet processing, where the code presumes that all packets entering the RX path have their encapsulation flag cleared. However, modern hardware network interface controllers (NICs) can legitimately set this flag when performing hardware offloading of UDP checksum calculations, particularly for encapsulated traffic scenarios. Additionally, the tun driver can inject Generic Segmentation Offload (GSO) packets containing UDP encapsulation, while virtual ethernet (veth) based network setups can also create the problematic packet layouts that trigger this vulnerability.
The technical implications of this flaw are significant within the context of network packet validation and integrity checking. When the udp4_gro_complete() function processes packets, it incorrectly calculates the outer UDP header pseudo checksum by using the wrong network offset - specifically employing the inner packet offset instead of the outer packet offset. This fundamental error in offset calculation directly impacts the checksum validation process that occurs later in packet processing, resulting in checksum validation failures that can lead to packet drops, network disruption, and potential denial of service conditions. The vulnerability specifically affects the UDP GRO completion stage where the kernel attempts to aggregate multiple UDP packets into larger segments for more efficient processing, but fails to properly account for encapsulated packet structures during this aggregation process.
The operational impact of this vulnerability extends beyond simple packet loss scenarios to potentially compromise network reliability and performance across systems running affected Linux kernel versions. Systems utilizing hardware offloading features, virtualized network environments, or network tunneling configurations are particularly at risk since these environments frequently generate the specific packet patterns that trigger the vulnerability. Network administrators and system operators may observe intermittent packet drops, increased network latency, or complete loss of connectivity in affected services, especially in high-throughput network environments where GRO processing is heavily utilized. The vulnerability's presence can also mask underlying network issues by causing intermittent failures that are difficult to diagnose and troubleshoot, as the symptoms manifest as checksum errors rather than clear protocol violations.
The resolution implemented for this vulnerability addresses the root cause by ensuring that the encapsulation flag is consistently cleared during GRO completion time, regardless of its initial state in the packet processing pipeline. This defensive programming approach prevents the incorrect network offset usage that leads to checksum validation failures while maintaining compatibility with legitimate use cases where encapsulation flags are properly set for actual encapsulated packets. The fix ensures that the udp_gro_complete() function can properly re-establish the encapsulation flag as needed for subsequent processing steps, maintaining the integrity of the network packet handling pipeline. This solution aligns with security best practices for kernel network subsystems and addresses the specific conditions outlined in the vulnerability description, including hardware NIC offloading scenarios, tun driver injection, and veth-based network configurations that can all potentially trigger the problematic code path. The mitigation strategy follows established patterns for handling network packet metadata in kernel space and maintains the expected behavior of the GRO subsystem while eliminating the checksum validation errors that occurred under the specific conditions described in the vulnerability report.