CVE-2026-23140
Unknown Unknown - Not Provided

Metadata Size Validation Flaw in Linux Kernel XDP Frame Handling

Vulnerability report for CVE-2026-23140, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-14

Last updated on: 2026-03-17

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: bpf, test_run: Subtract size of xdp_frame from allowed metadata size The xdp_frame structure takes up part of the XDP frame headroom, limiting the size of the metadata. However, in bpf_test_run, we don't take this into account, which makes it possible for userspace to supply a metadata size that is too large (taking up the entire headroom). If userspace supplies such a large metadata size in live packet mode, the xdp_update_frame_from_buff() call in xdp_test_run_init_page() call will fail, after which packet transmission proceeds with an uninitialised frame structure, leading to the usual Bad Stuff. The commit in the Fixes tag fixed a related bug where the second check in xdp_update_frame_from_buff() could fail, but did not add any additional constraints on the metadata size. Complete the fix by adding an additional check on the metadata size. Reorder the checks slightly to make the logic clearer and add a comment.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-14
Last Modified
2026-03-17
Generated
2026-07-06
AI Q&A
2026-02-14
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 9 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel From 5.18 (inc) to 6.1.161 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.6 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.121 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.66 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's handling of XDP (eXpress Data Path) frames within the bpf_test_run function. Specifically, the size of the xdp_frame structure, which occupies part of the XDP frame headroom, was not properly accounted for when userspace supplied metadata size. This oversight allowed userspace to specify a metadata size that was too large, potentially consuming the entire headroom.

When such an oversized metadata size is supplied in live packet mode, a function call (xdp_update_frame_from_buff) fails, but packet transmission continues using an uninitialized frame structure. This can lead to unpredictable and potentially harmful behavior.

The fix involved adding an additional check on the metadata size and reordering the validation logic to prevent this condition.

Impact Analysis

This vulnerability can lead to packet transmission using uninitialized frame structures, which may cause unpredictable behavior in the kernel's packet processing. Such behavior could result in system instability, crashes, or potentially allow malicious userspace processes to cause denial of service or other unintended effects.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23140. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart