CVE Catalog

CVE-2026-23154

MediumCVSS 5.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.11%

2th percentile - higher than 2% of all known CVEs

Summary

A bug in GSO segmentation for GRO packets with frag_list was fixed in the Linux kernel, causing low throughput during IPv4/IPv6 protocol translation by XLAT. The issue occurred because skb_segment_list incorrectly processed GRO packets after translation, as XLAT only translates the header of the head skb, leaving frag_list skbs untranslated. The patch forces the SKB_GSO_DODGY flag for GSO packets in translation helpers, ensuring fallback to the safer skb_segment function instead of skb_segment_list.

Risk Assessment

Organizations using IPv6-only hotspots to access IPv4 servers may experience significantly reduced throughput due to protocol inconsistencies in GRO packet processing after XLAT translation. This can lead to network performance degradation and connectivity issues.

Recommendation

Immediately update the Linux kernel to a version containing this patch (e.g., stable releases with backport). Monitor network performance after the update, especially in environments with IPv4/IPv6 protocol translation.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: net: fix segmentation of forwarding fraglist GRO This patch enhances GSO segment handling by properly checking the SKB_GSO_DODGY flag for frag_list GSO packets, addressing low throughput issues observed when a station accesses IPv4 servers via hotspots with an IPv6-only upstream interface. Specifically, it fixes a bug in GSO segmentation when forwarding GRO packets containing a frag_list. The function skb_segment_list cannot correctly process GRO skbs that have been converted by XLAT, since XLAT only translates the header of the head skb. Consequently, skbs in the frag_list may remain untranslated, resulting in protocol inconsistencies and reduced throughput. To address this, the patch explicitly sets the SKB_GSO_DODGY flag for GSO packets in XLAT's IPv4/IPv6 protocol translation helpers (bpf_skb_proto_4_to_6 and bpf_skb_proto_6_to_4). This marks GSO packets as potentially modified after protocol translation. As a result, GSO segmentation will avoid using skb_segment_list and instead falls back to skb_segment for packets with the SKB_GSO_DODGY flag. This ensures that only safe and fully translated frag_list packets are processed by skb_segment_list, resolving protocol inconsistencies and improving throughput when forwarding GRO packets converted by XLAT.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS