CVE-2026-23359
Received Received - Intake
Stack-Out-of-Bounds Write in Linux Kernel BPF devmap Component

Publication date: 2026-03-25

Last updated on: 2026-04-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix stack-out-of-bounds write in devmap get_upper_ifindexes() iterates over all upper devices and writes their indices into an array without checking bounds. Also the callers assume that the max number of upper devices is MAX_NEST_DEV and allocate excluded_devices[1+MAX_NEST_DEV] on the stack, but that assumption is not correct and the number of upper devices could be larger than MAX_NEST_DEV (e.g., many macvlans), causing a stack-out-of-bounds write. Add a max parameter to get_upper_ifindexes() to avoid the issue. When there are too many upper devices, return -EOVERFLOW and abort the redirect. To reproduce, create more than MAX_NEST_DEV(8) macvlans on a device with an XDP program attached using BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS. Then send a packet to the device to trigger the XDP redirect path.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-04-24
Generated
2026-06-16
AI Q&A
2026-03-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23359
EUVD
EUVD-2026-15336
Affected Vendors & Products
Showing 14 associated CPEs
Vendor Product Version / Range
linux linux_kernel 5.15
linux linux_kernel From 6.19 (inc) to 6.19.7 (exc)
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.17 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.130 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.77 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.167 (exc)
linux linux_kernel From 5.15.1 (inc) to 5.15.203 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's BPF subsystem, specifically in the function get_upper_ifindexes(). The function iterates over all upper network devices and writes their indices into an array without checking if the array bounds are exceeded.

The problem arises because the code assumes the maximum number of upper devices is MAX_NEST_DEV (which is 8), and allocates an array on the stack accordingly. However, the actual number of upper devices can be larger (for example, when many macvlans are created), leading to a stack-out-of-bounds write.

This stack-out-of-bounds write can cause memory corruption and potentially lead to security issues. The fix involves adding a maximum parameter to the function to prevent writing beyond the allocated array and aborting the redirect if there are too many upper devices.

Impact Analysis

This vulnerability can lead to a stack-out-of-bounds write in the Linux kernel, which may cause memory corruption.

Memory corruption in kernel space can potentially be exploited to cause system crashes, denial of service, or even privilege escalation, depending on the context and exploitability.

Specifically, if you use XDP programs with BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS flags on devices with many macvlans (more than 8), sending packets to such devices could trigger this vulnerability.

Detection Guidance

This vulnerability can be detected by checking if your system has more than MAX_NEST_DEV (8) macvlans created on a device with an XDP program attached using BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS. To reproduce or detect the issue, you can create more than 8 macvlans on a device and then send a packet to that device to trigger the XDP redirect path.

  • List the macvlans on your device to count how many exist (e.g., using `ip link show` or `ip link` commands).
  • Check if an XDP program is attached to the device using commands like `ip link show dev <device>` or `bpftool net`.
  • Send a test packet to the device to observe if any abnormal behavior or crashes occur, which may indicate the vulnerability is triggered.
Mitigation Strategies

Immediate mitigation involves limiting the number of upper devices (such as macvlans) on a device to not exceed MAX_NEST_DEV (8), especially when an XDP program is attached using BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS.

Additionally, ensure your Linux kernel is updated to a version where this vulnerability is fixed, as the patch adds a max parameter to get_upper_ifindexes() to prevent stack-out-of-bounds writes by returning -EOVERFLOW and aborting the redirect when too many upper devices exist.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23359. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart