CVE-2026-23003

EUVD-2026-4621

25.01.2026, 15:15

In the Linux kernel, the following vulnerability has been resolved:

ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv()

Blamed commit did not take care of VLAN encapsulations
as spotted by syzbot [1].

Use skb_vlan_inet_prepare() instead of pskb_inet_may_pull().

[1]
 BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]
 BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]
 BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321
  __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]
  INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]
  IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321
  ip6ip6_dscp_ecn_decapsulate+0x16f/0x1b0 net/ipv6/ip6_tunnel.c:729
  __ip6_tnl_rcv+0xed9/0x1b50 net/ipv6/ip6_tunnel.c:860
  ip6_tnl_rcv+0xc3/0x100 net/ipv6/ip6_tunnel.c:903
 gre_rcv+0x1529/0x1b90 net/ipv6/ip6_gre.c:-1
  ip6_protocol_deliver_rcu+0x1c89/0x2c60 net/ipv6/ip6_input.c:438
  ip6_input_finish+0x1f4/0x4a0 net/ipv6/ip6_input.c:489
  NF_HOOK include/linux/netfilter.h:318 [inline]
  ip6_input+0x9c/0x330 net/ipv6/ip6_input.c:500
  ip6_mc_input+0x7ca/0xc10 net/ipv6/ip6_input.c:590
  dst_input include/net/dst.h:474 [inline]
  ip6_rcv_finish+0x958/0x990 net/ipv6/ip6_input.c:79
  NF_HOOK include/linux/netfilter.h:318 [inline]
  ipv6_rcv+0xf1/0x3c0 net/ipv6/ip6_input.c:311
  __netif_receive_skb_one_core net/core/dev.c:6139 [inline]
  __netif_receive_skb+0x1df/0xac0 net/core/dev.c:6252
  netif_receive_skb_internal net/core/dev.c:6338 [inline]
  netif_receive_skb+0x57/0x630 net/core/dev.c:6397
  tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485
  tun_get_user+0x5c0e/0x6c60 drivers/net/tun.c:1953
  tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999
  new_sync_write fs/read_write.c:593 [inline]
  vfs_write+0xbe2/0x15d0 fs/read_write.c:686
  ksys_write fs/read_write.c:738 [inline]
  __do_sys_write fs/read_write.c:749 [inline]
  __se_sys_write fs/read_write.c:746 [inline]
  __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746
  x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2
  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
  do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
  slab_post_alloc_hook mm/slub.c:4960 [inline]
  slab_alloc_node mm/slub.c:5263 [inline]
  kmem_cache_alloc_node_noprof+0x9e7/0x17a0 mm/slub.c:5315
  kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:586
  __alloc_skb+0x805/0x1040 net/core/skbuff.c:690
  alloc_skb include/linux/skbuff.h:1383 [inline]
  alloc_skb_with_frags+0xc5/0xa60 net/core/skbuff.c:6712
  sock_alloc_send_pskb+0xacc/0xc60 net/core/sock.c:2995
  tun_alloc_skb drivers/net/tun.c:1461 [inline]
  tun_get_user+0x1142/0x6c60 drivers/net/tun.c:1794
  tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999
  new_sync_write fs/read_write.c:593 [inline]
  vfs_write+0xbe2/0x15d0 fs/read_write.c:686
  ksys_write fs/read_write.c:738 [inline]
  __do_sys_write fs/read_write.c:749 [inline]
  __se_sys_write fs/read_write.c:746 [inline]
  __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746
  x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2
  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
  do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

CPU: 0 UID: 0 PID: 6465 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.5 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	5.10.210 ≤ 𝑥 < 5.10.249
linux	linux_kernel	5.15.149 ≤ 𝑥 < 5.15.199
linux	linux_kernel	6.1.77 ≤ 𝑥 < 6.1.162
linux	linux_kernel	6.6.16 ≤ 𝑥 < 6.6.122
linux	linux_kernel	6.7.4 ≤ 𝑥 < 6.8
linux	linux_kernel	6.8.1 ≤ 𝑥 < 6.12.67
linux	linux_kernel	6.13 ≤ 𝑥 < 6.18.7
linux	linux_kernel	6.8
linux	linux_kernel	6.19:rc1
linux	linux_kernel	6.19:rc2
linux	linux_kernel	6.19:rc3
linux	linux_kernel	6.19:rc4
linux	linux_kernel	6.19:rc5
linux	linux_kernel	6.19:rc6
linux	linux_kernel	6.19:rc7
linux	linux_kernel	6.19:rc8

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	vulnerable
bookworm (security)	6.1.164-1 fixed
bullseye	vulnerable
bullseye (security)	5.10.251-1 fixed
forky	6.19.10-1 fixed
sid	6.19.10-1 fixed
trixie	6.12.73-1 fixed
trixie (security)	6.12.74-2 fixed

linux-6.1

bullseye (security)

6.1.164-1~deb11u1

fixed

Common Weakness Enumeration

CWE-908 - Use of Uninitialized Resource
The software uses or accesses a resource that has not been initialized.

Vulnerability Media Exposure

[GERMAN] Linux Kernel: Mehrere Schwachstellen
Ein Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um nicht näher spezifizierte Angriffe durchzuführen, die möglicherweise zu einer Denial-of-Service- Bedingung führen oder eine Speicherbeschädigung verursachen können.
Published: 2026-01-25T23:00:00+00:00

References

https://git.kernel.org/stable/c/2f03dafea0a8096a2eb60f551218b360e5bab9a3

https://git.kernel.org/stable/c/64c71d60a21a9ed0a802483dcd422b5b24eb1abe

https://git.kernel.org/stable/c/81c734dae203757fb3c9eee6f9896386940776bd

https://git.kernel.org/stable/c/9e1c8c2a33d0a7b1f637b5d0602fe56ed10166af

https://git.kernel.org/stable/c/b9f915340f25cae1562f18e1eb52deafca328414

https://git.kernel.org/stable/c/df5ffde9669314500809bc498ae73d6d3d9519ac

https://git.kernel.org/stable/c/f9c5c5b791d3850570796f9e067629474e613796