Home

Description

In the Linux kernel, the following vulnerability has been resolved: ipv4: ip_gre: make ipgre_header() robust Analog to commit db5b4e39c4e6 ("ip6_gre: make ip6gre_header() robust") Over the years, syzbot found many ways to crash the kernel in ipgre_header() [1]. This involves team or bonding drivers ability to dynamically change their dev->needed_headroom and/or dev->hard_header_len In this particular crash mld_newpack() allocated an skb with a too small reserve/headroom, and by the time mld_sendpack() was called, syzbot managed to attach an ipgre device. [1] skbuff: skb_under_panic: text:ffffffff89ea3cb7 len:2030915468 put:2030915372 head:ffff888058b43000 data:ffff887fdfa6e194 tail:0x120 end:0x6c0 dev:team0 kernel BUG at net/core/skbuff.c:213 ! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 1 UID: 0 PID: 1322 Comm: kworker/1:9 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Workqueue: mld mld_ifc_work RIP: 0010:skb_panic+0x157/0x160 net/core/skbuff.c:213 Call Trace: <TASK> skb_under_panic net/core/skbuff.c:223 [inline] skb_push+0xc3/0xe0 net/core/skbuff.c:2641 ipgre_header+0x67/0x290 net/ipv4/ip_gre.c:897 dev_hard_header include/linux/netdevice.h:3436 [inline] neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618 NF_HOOK_COND include/linux/netfilter.h:307 [inline] ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247 NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318 mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855 mld_send_cr net/ipv6/mcast.c:2154 [inline] mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693 process_one_work kernel/workqueue.c:3257 [inline] process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246

PUBLISHED Reserved 2026-01-13 | Published 2026-01-25 | Updated 2026-01-25 | Assigner Linux

Product status

Default status
unaffected

c54419321455631079c7d6e60bc732dd0c5914c5 (git) before aa57bfea4674e6da8104fa3a37760a6f5f255dad
affected

c54419321455631079c7d6e60bc732dd0c5914c5 (git) before 554201ed0a8f4d32e719f42caeaeb2735a9ed6ca
affected

c54419321455631079c7d6e60bc732dd0c5914c5 (git) before e67c577d89894811ce4dcd1a9ed29d8b63476667
affected

Default status
affected

3.10
affected

Any version before 3.10
unaffected

6.12.67 (semver)
unaffected

6.18.7 (semver)
unaffected

6.19-rc6 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/aa57bfea4674e6da8104fa3a37760a6f5f255dad

git.kernel.org/...c/554201ed0a8f4d32e719f42caeaeb2735a9ed6ca

git.kernel.org/...c/e67c577d89894811ce4dcd1a9ed29d8b63476667

cve.org (CVE-2026-23011)

nvd.nist.gov (CVE-2026-23011)

Download JSON