CVE-2026-23359
Stack-Out-of-Bounds Write in Linux Kernel BPF devmap Component
Publication date: 2026-03-25
Last updated on: 2026-04-24
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 5.15 |
| linux | linux_kernel | From 6.19 (inc) to 6.19.7 (exc) |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | From 6.13 (inc) to 6.18.17 (exc) |
| linux | linux_kernel | From 6.2 (inc) to 6.6.130 (exc) |
| linux | linux_kernel | From 6.7 (inc) to 6.12.77 (exc) |
| linux | linux_kernel | From 5.16 (inc) to 6.1.167 (exc) |
| linux | linux_kernel | From 5.15.1 (inc) to 5.15.203 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's BPF subsystem, specifically in the function get_upper_ifindexes(). The function iterates over all upper network devices and writes their indices into an array without checking if the array bounds are exceeded.
The problem arises because the code assumes the maximum number of upper devices is MAX_NEST_DEV (which is 8), and allocates an array on the stack accordingly. However, the actual number of upper devices can be larger (for example, when many macvlans are created), leading to a stack-out-of-bounds write.
This stack-out-of-bounds write can cause memory corruption and potentially lead to security issues. The fix involves adding a maximum parameter to the function to prevent writing beyond the allocated array and aborting the redirect if there are too many upper devices.
How can this vulnerability impact me? :
This vulnerability can lead to a stack-out-of-bounds write in the Linux kernel, which may cause memory corruption.
Memory corruption in kernel space can potentially be exploited to cause system crashes, denial of service, or even privilege escalation, depending on the context and exploitability.
Specifically, if you use XDP programs with BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS flags on devices with many macvlans (more than 8), sending packets to such devices could trigger this vulnerability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your system has more than MAX_NEST_DEV (8) macvlans created on a device with an XDP program attached using BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS. To reproduce or detect the issue, you can create more than 8 macvlans on a device and then send a packet to that device to trigger the XDP redirect path.
- List the macvlans on your device to count how many exist (e.g., using `ip link show` or `ip link` commands).
- Check if an XDP program is attached to the device using commands like `ip link show dev <device>` or `bpftool net`.
- Send a test packet to the device to observe if any abnormal behavior or crashes occur, which may indicate the vulnerability is triggered.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves limiting the number of upper devices (such as macvlans) on a device to not exceed MAX_NEST_DEV (8), especially when an XDP program is attached using BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS.
Additionally, ensure your Linux kernel is updated to a version where this vulnerability is fixed, as the patch adds a max parameter to get_upper_ifindexes() to prevent stack-out-of-bounds writes by returning -EOVERFLOW and aborting the redirect when too many upper devices exist.