IM
IronMonkey Threat Research

CVE-2026-23359 HIGH

Published: 2026-03-25 | Last Modified: 2026-07-14 | Status: Modified

Description

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix stack-out-of-bounds write in devmap get_upper_ifindexes() iterates over all upper devices and writes their indices into an array without checking bounds. Also the callers assume that the max number of upper devices is MAX_NEST_DEV and allocate excluded_devices[1+MAX_NEST_DEV] on the stack, but that assumption is not correct and the number of upper devices could be larger than MAX_NEST_DEV (e.g., many macvlans), causing a stack-out-of-bounds write. Add a max parameter to get_upper_ifindexes() to avoid the issue. When there are too many upper devices, return -EOVERFLOW and abort the redirect. To reproduce, create more than MAX_NEST_DEV(8) macvlans on a device with an XDP program attached using BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS. Then send a packet to the device to trigger the XDP redirect path.

Additional Descriptions (1)

En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta: bpf: Corrección de escritura fuera de límites de la pila en devmap get_upper_ifindexes() itera sobre todos los dispositivos superiores y escribe sus índices en un array sin comprobar los límites. Además, los llamadores asumen que el número máximo de dispositivos superiores es MAX_NEST_DEV y asignan excluded_devices[1+MAX_NEST_DEV] en la pila, pero esa suposición no es correcta y el número de dispositivos superiores podría ser mayor que MAX_NEST_DEV (por ejemplo, muchas macvlans), causando una escritura fuera de límites de la pila. Añadir un parámetro max a get_upper_ifindexes() para evitar el problema. Cuando hay demasiados dispositivos superiores, devolver -EOVERFLOW y abortar la redirección. Para reproducir, crear más de MAX_NEST_DEV(8) macvlans en un dispositivo con un programa XDP adjunto usando BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS. Luego enviar un paquete al dispositivo para activar la ruta de redirección XDP.

CVSS Metrics

Base Score: 7.8 (HIGH)

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorLOCAL
Attack ComplexityLOW
Privileges RequiredLOW
User InteractionNONE
ScopeUNCHANGED
Confidentiality ImpactHIGH
Integrity ImpactHIGH
Availability ImpactHIGH

Source: [email protected]

Type: Primary

Exploitability Score: 1.8

Impact Score: 5.9

Weaknesses

Source Type Description
[email protected] Primary
en CWE-787

Affected Products

Vendor Product Version Update Type
linux linux_kernel * <built-in method update of dict object at 0x702bfc3357c0> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bdd67d740> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bfc1dc340> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bdcc5a1c0> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bfc334d00> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702b8052e380> Operating System
linux linux_kernel 5.15 <built-in method update of dict object at 0x702b8052e900> Operating System
linux linux_kernel 7.0 <built-in method update of dict object at 0x702bfc1dfe40> Operating System
linux linux_kernel 7.0 <built-in method update of dict object at 0x702bfc1df200> Operating System
linux linux_kernel 7.0 <built-in method update of dict object at 0x702bfc336d80> Operating System
linux linux_kernel 7.0 <built-in method update of dict object at 0x702bfc1de200> Operating System
linux linux_kernel 7.0 <built-in method update of dict object at 0x702bdd67c4c0> Operating System
linux linux_kernel 7.0 <built-in method update of dict object at 0x702bdd67d100> Operating System
linux linux_kernel 7.0 <built-in method update of dict object at 0x702b8052cdc0> Operating System

Affected Configurations

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:5.15:-:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

References

Notification
Message here