CVE-2026-31429
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: skb: fix cross-cache free of KFENCE-allocated skb head
SKB_SMALL_HEAD_CACHE_SIZE is intentionally set to a non-power-of-2 value (e.g. 704 on x86_64) to avoid collisions with generic kmalloc bucket sizes. This ensures that skb_kfree_head() can reliably use skb_end_offset to distinguish skb heads allocated from skb_small_head_cache vs. generic kmalloc caches.
However, when KFENCE is enabled, kfence_ksize() returns the exact requested allocation size instead of the slab bucket size. If a caller (e.g. bpf_test_init) allocates skb head data via kzalloc() and the requested size happens to equal SKB_SMALL_HEAD_CACHE_SIZE, then slab_build_skb() -> ksize() returns that exact value. After subtracting skb_shared_info overhead, skb_end_offset ends up matching SKB_SMALL_HEAD_HEADROOM, causing skb_kfree_head() to incorrectly free the object to skb_small_head_cache instead of back to the original kmalloc cache, resulting in a slab cross-cache free:
kmem_cache_free(skbuff_small_head): Wrong slab cache. Expected skbuff_small_head but got kmalloc-1k
Fix this by always calling kfree(head) in skb_kfree_head(). This keeps the free path generic and avoids allocator-specific misclassification for KFENCE objects.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | bf9f1baa279f0758dc2297080360c5a616843927 < 128b03ccb2582a643983a48a37fda58df80edbde | affected |
| Linux | Linux | bf9f1baa279f0758dc2297080360c5a616843927 < 60313768a8edc7094435975587c00c2d7b834083 | affected |
| Linux | Linux | bf9f1baa279f0758dc2297080360c5a616843927 < 2d64618ea846d8d033477311f805ca487d6a6696 | affected |
| Linux | Linux | bf9f1baa279f0758dc2297080360c5a616843927 < 474e00b935db250cac320d10c1d3cf4e44b46721 | affected |
| Linux | Linux | bf9f1baa279f0758dc2297080360c5a616843927 < 0f42e3f4fe2a58394e37241d02d9ca6ab7b7d516 | affected |
| Linux | Linux | 6.3 | affected |
| Linux | Linux | 0 < 6.3 | unaffected |
| Linux | Linux | 6.6.136 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.82 <= 6.12.* | unaffected |
| Linux | Linux | 6.18.23 <= 6.18.* | unaffected |
| Linux | Linux | 6.19.13 <= 6.19.* | unaffected |
| Linux | Linux | 7.0 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/128b03ccb2582a643983a48a37fda58df80edbde
- https://git.kernel.org/stable/c/60313768a8edc7094435975587c00c2d7b834083
- https://git.kernel.org/stable/c/2d64618ea846d8d033477311f805ca487d6a6696
- https://git.kernel.org/stable/c/474e00b935db250cac320d10c1d3cf4e44b46721
- https://git.kernel.org/stable/c/0f42e3f4fe2a58394e37241d02d9ca6ab7b7d516
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.