CVE-2026-23140
Unknown Unknown - Not Provided
Metadata Size Validation Flaw in Linux Kernel XDP Frame Handling

Publication date: 2026-02-14

Last updated on: 2026-03-17

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: bpf, test_run: Subtract size of xdp_frame from allowed metadata size The xdp_frame structure takes up part of the XDP frame headroom, limiting the size of the metadata. However, in bpf_test_run, we don't take this into account, which makes it possible for userspace to supply a metadata size that is too large (taking up the entire headroom). If userspace supplies such a large metadata size in live packet mode, the xdp_update_frame_from_buff() call in xdp_test_run_init_page() call will fail, after which packet transmission proceeds with an uninitialised frame structure, leading to the usual Bad Stuff. The commit in the Fixes tag fixed a related bug where the second check in xdp_update_frame_from_buff() could fail, but did not add any additional constraints on the metadata size. Complete the fix by adding an additional check on the metadata size. Reorder the checks slightly to make the logic clearer and add a comment.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-14
Last Modified
2026-03-17
Generated
2026-05-07
AI Q&A
2026-02-14
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23140
EUVD
EUVD-2026-5897
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel From 5.18 (inc) to 6.1.161 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.6 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.121 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.66 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's handling of XDP (eXpress Data Path) frames within the bpf_test_run function. Specifically, the size of the xdp_frame structure, which occupies part of the XDP frame headroom, was not properly accounted for when userspace supplied metadata size. This oversight allowed userspace to specify a metadata size that was too large, potentially consuming the entire headroom.

When such an oversized metadata size is supplied in live packet mode, a function call (xdp_update_frame_from_buff) fails, but packet transmission continues using an uninitialized frame structure. This can lead to unpredictable and potentially harmful behavior.

The fix involved adding an additional check on the metadata size and reordering the validation logic to prevent this condition.


How can this vulnerability impact me? :

This vulnerability can lead to packet transmission using uninitialized frame structures, which may cause unpredictable behavior in the kernel's packet processing. Such behavior could result in system instability, crashes, or potentially allow malicious userspace processes to cause denial of service or other unintended effects.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

I don't know


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart