CVE-2026-23172
Buffer Overflow in Linux Kernel t7xx_dpmaif RX Path
Publication date: 2026-02-14
Last updated on: 2026-04-03
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | From 6.2 (inc) to 6.6.123 (exc) |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | From 6.7 (inc) to 6.12.69 (exc) |
| linux | linux_kernel | From 5.19 (inc) to 6.1.162 (exc) |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | From 6.13 (inc) to 6.18.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-401 | The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's network driver for wwan (wireless wide area network) devices, specifically in the t7xx_dpmaif_set_frag_to_skb() function. When receiving data packets, this function adds page fragments to a socket buffer (skb) without verifying if the number of fragments exceeds the maximum allowed (MAX_SKB_FRAGS).
If the number of fragments exceeds this limit, it can cause a buffer overflow in the skb's fragments array, which may corrupt adjacent memory. This memory corruption can lead to kernel crashes or other unpredictable behavior.
The vulnerability could be triggered by malicious, buggy, or compromised modem firmware that sends packets with an excessive number of fragments, beyond what the kernel expects under normal conditions.
The fix involves adding a bounds check before adding fragments to ensure the number does not exceed MAX_SKB_FRAGS, preventing buffer overflow and related issues.
How can this vulnerability impact me? :
This vulnerability can impact you by causing kernel crashes or undefined behavior on systems running the affected Linux kernel with the vulnerable wwan driver.
If exploited, it could lead to system instability or denial of service due to memory corruption triggered by crafted packets with excessive fragments.
Since the issue arises from trusting potentially malicious modem firmware, compromised or buggy firmware could be used as an attack vector to exploit this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, ensure that your Linux kernel is updated with the fix that adds a bounds check before calling skb_add_rx_frag() in the t7xx_dpmaif_set_frag_to_skb() function.
This fix prevents the skb->frags overflow by verifying that the number of fragments does not exceed MAX_SKB_FRAGS, protecting against buffer overflow and potential kernel crashes.
Since the vulnerability arises from potentially malicious or buggy modem firmware sending packets with excessive fragments, updating the kernel to include this fix is the immediate and effective mitigation step.