CVE-2026-23048

Root

Cause

The Linux kernel's UDP receive path normally does not use skb->destructor. However, the skmsg layer, via udp_read_skb(), calls skb_set_owner_sk_safe(), which sets a destructor on the socket buffer. When the kernel later attempts to defer freeing the skb with skb_attempt_defer_free(), it triggers a DEBUG_NET_WARN_ON_ONCE(skb->destructor) warning because the function expects no destructor to be set [1].

Exploitation

Exploitation

An attacker who can trigger the UDP receive path in a context where the skmsg layer is active (e.g., using BPF sockmap or similar) can cause the kernel to hit this warning. No special privileges are required beyond the ability to send UDP packets that are processed by a socket with an attached BPF program or other skmsg mechanism. The warning itself is a debug assertion, but in production kernels without DEBUG_NET it may manifest as a use-after-free or memory corruption if the destructor is mishandled.

Impact

If the warning is triggered, it indicates a potential memory safety issue. In debug kernels, the warning is printed but execution continues; however, the presence of a destructor when skb_attempt_defer_free() expects none can lead to incorrect reference counting or premature freeing of the socket owner, potentially causing a use-after-free condition. An attacker could leverage this to crash the system (denial of service) or, in some configurations, achieve arbitrary code execution.

Mitigation

The fix is to call skb_orphan() before skb_attempt_defer_free() in the UDP receive path, which clears the destructor and owner reference. This patch has been applied to the stable kernel trees [2]. Users should update to a kernel version containing the commit e5c8eda39a9fc1547d1398d707aa06c1d080abdd080abdd or later. No workaround is available; updating is the only mitigation.