CVE-2026-23095
Published: 04 February 2026
Summary
CVE-2026-23095 is a high-severity Missing Release of Memory after Effective Lifetime (CWE-401) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 10.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Memory leak in GUE packet handling directly enables remote exploitation for endpoint DoS via OS resource exhaustion.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: gue: Fix skb memleak with inner IP protocol 0. syzbot reported skb memleak below. [0] The repro generated a GUE packet with its inner protocol 0. gue_udp_recv() returns -guehdr->proto_ctype for…
more
"resubmit" in ip_protocol_deliver_rcu(), but this only works with non-zero protocol number. Let's drop such packets. Note that 0 is a valid number (IPv6 Hop-by-Hop Option). I think it is not practical to encap HOPOPT in GUE, so once someone starts to complain, we could pass down a resubmit flag pointer to distinguish two zeros from the upper layer: * no error * resubmit HOPOPT [0] BUG: memory leak unreferenced object 0xffff888109695a00 (size 240): comm "syz.0.17", pid 6088, jiffies 4294943096 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 40 c2 10 81 88 ff ff 00 00 00 00 00 00 00 00 .@.............. backtrace (crc a84b336f): kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] slab_post_alloc_hook mm/slub.c:4958 [inline] slab_alloc_node mm/slub.c:5263 [inline] kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270 __build_skb+0x23/0x60 net/core/skbuff.c:474 build_skb+0x20/0x190 net/core/skbuff.c:490 __tun_build_skb drivers/net/tun.c:1541 [inline] tun_build_skb+0x4a1/0xa40 drivers/net/tun.c:1636 tun_get_user+0xc12/0x2030 drivers/net/tun.c:1770 tun_chr_write_iter+0x71/0x120 drivers/net/tun.c:1999 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x45d/0x710 fs/read_write.c:686 ksys_write+0xa7/0x170 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f
Deeper analysisAI
CVE-2026-23095 is a memory leak vulnerability in the Linux kernel's Generic UDP Encapsulation (GUE) implementation. The issue arises in the gue_udp_recv() function, which mishandles GUE packets with an inner IP protocol number of 0. Specifically, it returns -guehdr->proto_ctype for resubmission in ip_protocol_deliver_rcu(), but this only functions correctly for non-zero protocol numbers, resulting in an unreferenced socket buffer (skb) object leak. The vulnerability was reported by syzbot, with a reproducer generating such malformed GUE packets, and is classified under CWE-401 with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
A remote, unauthenticated attacker can exploit this vulnerability by sending specially crafted GUE packets with inner protocol 0 to a vulnerable Linux kernel instance processing GUE traffic. No privileges or user interaction are required, and exploitation is straightforward over the network with low complexity. Successful exploitation leads to repeated memory leaks of skb objects, potentially causing memory exhaustion and denial-of-service (DoS) conditions on the affected system.
The provided references point to upstream Linux kernel stable patches that resolve the issue by dropping GUE packets with inner protocol 0 instead of attempting resubmission. These commits (e.g., 380a82d36e37db49fd41ecc378c22fd29392e96a) update gue_udp_recv() handling, noting that protocol 0 is valid for IPv6 Hop-by-Hop Options but impractical to encapsulate in GUE without further changes. Security practitioners should apply these kernel updates to mitigate the vulnerability.
Details
- CWE(s)