Home

Description

In the Linux kernel, the following vulnerability has been resolved: ipv4: ip_gre: make ipgre_header() robust Analog to commit db5b4e39c4e6 ("ip6_gre: make ip6gre_header() robust") Over the years, syzbot found many ways to crash the kernel in ipgre_header() [1]. This involves team or bonding drivers ability to dynamically change their dev->needed_headroom and/or dev->hard_header_len In this particular crash mld_newpack() allocated an skb with a too small reserve/headroom, and by the time mld_sendpack() was called, syzbot managed to attach an ipgre device. [1] skbuff: skb_under_panic: text:ffffffff89ea3cb7 len:2030915468 put:2030915372 head:ffff888058b43000 data:ffff887fdfa6e194 tail:0x120 end:0x6c0 dev:team0 kernel BUG at net/core/skbuff.c:213 ! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 1 UID: 0 PID: 1322 Comm: kworker/1:9 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Workqueue: mld mld_ifc_work RIP: 0010:skb_panic+0x157/0x160 net/core/skbuff.c:213 Call Trace: <TASK> skb_under_panic net/core/skbuff.c:223 [inline] skb_push+0xc3/0xe0 net/core/skbuff.c:2641 ipgre_header+0x67/0x290 net/ipv4/ip_gre.c:897 dev_hard_header include/linux/netdevice.h:3436 [inline] neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618 NF_HOOK_COND include/linux/netfilter.h:307 [inline] ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247 NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318 mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855 mld_send_cr net/ipv6/mcast.c:2154 [inline] mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693 process_one_work kernel/workqueue.c:3257 [inline] process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246

PUBLISHED Reserved 2026-01-13 | Published 2026-01-25 | Updated 2026-02-09 | Assigner Linux

Product status

Default status
unaffected

c54419321455631079c7d6e60bc732dd0c5914c5 (git) before eeb9a521de40c6fadccc12fa5205e5a1b364d5a8
affected

c54419321455631079c7d6e60bc732dd0c5914c5 (git) before 8d5b6b2d79c1c22a5b0db1187a6439dff375a022
affected

c54419321455631079c7d6e60bc732dd0c5914c5 (git) before 2ecf0aa7cc262472a9599cc51ba02ada0897a17a
affected

c54419321455631079c7d6e60bc732dd0c5914c5 (git) before 06fe0801396a36cab865b34f666de1d65bc5ce8e
affected

c54419321455631079c7d6e60bc732dd0c5914c5 (git) before aa57bfea4674e6da8104fa3a37760a6f5f255dad
affected

c54419321455631079c7d6e60bc732dd0c5914c5 (git) before 554201ed0a8f4d32e719f42caeaeb2735a9ed6ca
affected

c54419321455631079c7d6e60bc732dd0c5914c5 (git) before e67c577d89894811ce4dcd1a9ed29d8b63476667
affected

Default status
affected

3.10
affected

Any version before 3.10
unaffected

5.10.249 (semver)
unaffected

5.15.199 (semver)
unaffected

6.1.162 (semver)
unaffected

6.6.122 (semver)
unaffected

6.12.67 (semver)
unaffected

6.18.7 (semver)
unaffected

6.19 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/eeb9a521de40c6fadccc12fa5205e5a1b364d5a8

git.kernel.org/...c/8d5b6b2d79c1c22a5b0db1187a6439dff375a022

git.kernel.org/...c/2ecf0aa7cc262472a9599cc51ba02ada0897a17a

git.kernel.org/...c/06fe0801396a36cab865b34f666de1d65bc5ce8e

git.kernel.org/...c/aa57bfea4674e6da8104fa3a37760a6f5f255dad

git.kernel.org/...c/554201ed0a8f4d32e719f42caeaeb2735a9ed6ca

git.kernel.org/...c/e67c577d89894811ce4dcd1a9ed29d8b63476667

cve.org (CVE-2026-23011)

nvd.nist.gov (CVE-2026-23011)

Download JSON