CVE-2026-23262
Buffer Overflow in Linux gve Driver Causes Stats Memory Corruption
Publication date: 2026-03-18
Last updated on: 2026-03-18
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's gve driver, which manages communication between the driver and the network interface card (NIC) for statistics reporting.
The driver and NIC share a memory region for stats reporting. The NIC calculates its offset into this region based on the total size of the stats region and the size of the NIC's stats.
When the number of queues changes, the driver's stats region is resized. If the queue count increases, the NIC may write beyond the allocated stats region, causing memory corruption. If the queue count decreases, a gap appears between the driver and NIC stats, leading to incorrect stats reporting.
The fix involves allocating the stats region with the maximum size and adjusting the NIC stats offset calculation to align correctly, preventing memory corruption and incorrect stats.
How can this vulnerability impact me? :
This vulnerability can cause memory corruption in the Linux kernel when the number of queues is increased, potentially leading to system instability or crashes.
Additionally, if the queue count is decreased, it can result in incorrect statistics reporting from the NIC, which may affect monitoring and performance analysis.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know