CVE-2026-31429
Description
In the Linux kernel, the following vulnerability has been resolved:
net: skb: fix cross-cache free of KFENCE-allocated skb head
SKB_SMALL_HEAD_CACHE_SIZE is intentionally set to a non-power-of-2 value (e.g. 704 on x86_64) to avoid collisions with generic kmalloc bucket sizes. This ensures that skb_kfree_head() can reliably use skb_end_offset to distinguish skb heads allocated from skb_small_head_cache vs. generic kmalloc caches.
However, when KFENCE is enabled, kfence_ksize() returns the exact requested allocation size instead of the slab bucket size. If a caller (e.g. bpf_test_init) allocates skb head data via kzalloc() and the requested size happens to equal SKB_SMALL_HEAD_CACHE_SIZE, then slab_build_skb() -> ksize() returns that exact value. After subtracting skb_shared_info overhead, skb_end_offset ends up matching SKB_SMALL_HEAD_HEADROOM, causing skb_kfree_head() to incorrectly free the object to skb_small_head_cache instead of back to the original kmalloc cache, resulting in a slab cross-cache free:
kmem_cache_free(skbuff_small_head): Wrong slab cache. Expected skbuff_small_head but got kmalloc-1k
Fix this by always calling kfree(head) in skb_kfree_head(). This keeps the free path generic and avoids allocator-specific misclassification for KFENCE objects.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Linux kernel skb head cross-cache free vulnerability due to KFENCE ksize() misclassification, fixed by using kfree() directly.
Root
Cause The vulnerability arises because the kernel's skb allocation uses a custom slab cache (skb_small_head_cache) sized to a non-power-of-2 value to avoid collisions with generic kmalloc caches. When Kernel Electric-Fence (KFENCE) is enabled, kfence_ksize() returns the exact requested allocation size instead of the slab bucket size. If an allocation (e.g., from bpf_test_init) requests a size that equals SKB_SMALL_HEAD_CACHE_SIZE, then ksize() returns that exact value, causing skb_end_offset to match SKB_SMALL_HEAD_HEADROOM. Consequently, skb_kfree_head() incorrectly frees the object to skb_small_head_cache instead of the original kmalloc cache, leading to a slab cross-cache free [1].
Attack
Vector Exploitation requires the system to have KFENCE enabled and a caller to allocate skb head data with a size exactly matching SKB_SMALL_HEAD_CACHE_SIZE. The trigger is demonstrated via bpf_test_init, but other similar callers might also be affected. No special privileges are needed; the attacker must be able to trigger such an allocation, likely from user space or BPF program.
Impact
A cross-cache free corrupts kernel memory, potentially leading to system crashes, data corruption, or privilege escalation. The bug is classified as medium severity (CVSS 5.5) due to the requirement of KFENCE being enabled and specific allocation conditions.
Mitigation
The fix, committed in kernel stable branches, changes skb_kfree_head() to always call kfree(head) instead of attempting cache-specific freeing. This keeps the free path generic and avoids allocator-specific misclassification for KFENCE objects. Patches are available for multiple stable kernel versions [1][2][3][4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- git.kernel.org/stable/c/0f42e3f4fe2a58394e37241d02d9ca6ab7b7d516nvdPatch
- git.kernel.org/stable/c/128b03ccb2582a643983a48a37fda58df80edbdenvdPatch
- git.kernel.org/stable/c/2d64618ea846d8d033477311f805ca487d6a6696nvdPatch
- git.kernel.org/stable/c/474e00b935db250cac320d10c1d3cf4e44b46721nvdPatch
- git.kernel.org/stable/c/60313768a8edc7094435975587c00c2d7b834083nvdPatch
News mentions
0No linked articles in our index yet.