CVE-2026-23386
Out-of-Bounds Access in Linux gve Driver Causes Buffer Mismanagement
Publication date: 2026-03-25
Last updated on: 2026-04-24
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 6.6 |
| linux | linux_kernel | From 6.19 (inc) to 6.19.7 (exc) |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | From 6.13 (inc) to 6.18.17 (exc) |
| linux | linux_kernel | From 6.7 (inc) to 6.12.78 (exc) |
| linux | linux_kernel | From 6.6.1 (inc) to 6.6.130 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the Linux kernel to a version where the gve driver has been patched to fix the incorrect buffer cleanup in gve_tx_clean_pending_packets for QPL mode.
The fix involves properly checking for QPL mode and delegating buffer cleanup to gve_free_tx_qpl_bufs(), preventing out-of-bounds memory access.
Until the patch is applied, consider disabling or unloading the gve driver if it is not essential, to avoid triggering the faulty buffer cleanup code.
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's gve driver, specifically in the function gve_tx_clean_pending_packets when operating in DQ-QPL mode.
The function incorrectly uses the RDA buffer cleanup path, iterating num_bufs times and attempting to unmap entries in the dma array. However, the dma array shares storage with tx_qpl_buf_ids, so interpreting buffer IDs as DMA addresses causes attempts to unmap incorrect memory locations.
Additionally, num_bufs in QPL mode counts 2K chunks and can significantly exceed the size of the dma array, leading to out-of-bounds access warnings and potential memory safety issues.
The issue was detected by UBSAN (Undefined Behavior Sanitizer) reporting an array-index-out-of-bounds error.
The fix involved properly checking for QPL mode and delegating buffer cleanup to the correct function gve_free_tx_qpl_bufs() to safely reclaim buffers.
How can this vulnerability impact me? :
This vulnerability can lead to incorrect memory unmapping and out-of-bounds memory access within the Linux kernel's gve driver.
Such memory safety issues can cause kernel instability, crashes, or undefined behavior, potentially affecting system reliability and availability.
While no direct exploit or privilege escalation is described, improper memory handling in kernel space can be a security risk and may be leveraged in broader attack scenarios.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for out-of-bounds access warnings related to the gve driver in the Linux kernel logs. Specifically, look for UBSAN (Undefined Behavior Sanitizer) messages indicating array-index-out-of-bounds errors in gve_tx_dqo.c around line 178.
You can check the kernel logs for such errors using commands like:
- dmesg | grep -i 'gve_tx_dqo.c'
- journalctl -k | grep -i 'gve_tx_dqo.c'
- grep -i 'array-index-out-of-bounds' /var/log/kern.log
These commands help identify if the kernel is reporting the specific out-of-bounds access related to this vulnerability.