{"id":"CVE-2026-43036","summary":"net: use skb_header_pointer() for TCPv4 GSO frag_off check","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: use skb_header_pointer() for TCPv4 GSO frag_off check\n\nSyzbot reported a KMSAN uninit-value warning in gso_features_check()\ncalled from netif_skb_features() [1].\n\ngso_features_check() reads iph-\u003efrag_off to decide whether to clear\nmangleid_features. Accessing the IPv4 header via ip_hdr()/inner_ip_hdr()\ncan rely on skb header offsets that are not always safe for direct\ndereference on packets injected from PF_PACKET paths.\n\nUse skb_header_pointer() for the TCPv4 frag_off check so the header read\nis robust whether data is already linear or needs copying.\n\n[1] https://syzkaller.appspot.com/bug?extid=1543a7d954d9c6d00407","modified":"2026-05-28T03:53:35.458278869Z","published":"2026-05-01T14:15:34.640Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43036.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/cc91202fc20a44aab4c206f12a2bfe05da936051"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d970341cfa5594614c7a6634886c7688b4f5cafd"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ddc748a391dd8642ba6b2e4fe22e7f2ddf84b7f0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f7a6cd508e9e825a2c69fa9e13d41ee156852f25"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43036.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43036"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"cbc53e08a793b073e79f42ca33f1f3568703540d"},{"fixed":"f7a6cd508e9e825a2c69fa9e13d41ee156852f25"},{"fixed":"cc91202fc20a44aab4c206f12a2bfe05da936051"},{"fixed":"d970341cfa5594614c7a6634886c7688b4f5cafd"},{"fixed":"ddc748a391dd8642ba6b2e4fe22e7f2ddf84b7f0"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43036.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.7.0"},{"fixed":"6.12.81"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.22"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.12"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43036.json"}}],"schema_version":"1.7.5"}