SB2026050228 - Use of uninitialized resource in Linux kernel core



SB2026050228 - Use of uninitialized resource in Linux kernel core

Published: May 2, 2026

Security Bulletin ID SB2026050228
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Local access
Highest impact Denial of service

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Use of uninitialized resource (CVE-ID: CVE-2026-43036)

CWE-ID: CWE-908 - Use of Uninitialized Resource

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local attacker to cause a denial of service.

The vulnerability exists due to improper handling of packet header data in gso_features_check() when processing packets injected through PF_PACKET paths. A local attacker can inject a specially crafted packet to cause a denial of service.

The issue occurs because the IPv4 header access may rely on skb header offsets that are not always safe for direct dereference in this context.


Remediation

Install update from vendor's website.