CVE-2026-23359

HIGH EPSS 2.9%
Published Mar 25, 20263mo ago · Modified Jun 17, 20261w ago
7.8 CVSS 3.1
High
Find Similar
Published Mar 25, 2026 3mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix stack-out-of-bounds write in devmap get_upper_ifindexes() iterates over all upper devices and writes their indices into an array without checking bounds. Also the callers assume that the max number of upper devices is MAX_NEST_DEV and allocate excluded_devices[1+MAX_NEST_DEV] on the stack, but that assumption is not correct and the number of upper devices could be larger than MAX_NEST_DEV (e.g., many macvlans), causing a stack-out-of-bounds write. Add a max parameter to get_upper_ifindexes() to avoid the issue. When there are too many upper devices, return -EOVERFLOW and abort the redirect. To reproduce, create more than MAX_NEST_DEV(8) macvlans on a device with an XDP program attached using BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS. Then send a packet to the device to trigger the XDP redirect path.

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
2.9% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-787 Out-of-bounds Write Memory Safety

Affected Products 14

VendorProductVersionRange
linuxlinux_kernel*≥5.15.1  –  <5.15.203
linuxlinux_kernel*≥5.16  –  <6.1.167
linuxlinux_kernel*≥6.2  –  <6.6.130
linuxlinux_kernel*≥6.7  –  <6.12.77
linuxlinux_kernel*≥6.13  –  <6.18.17
linuxlinux_kernel*≥6.19  –  <6.19.7
linuxlinux_kernel5.15any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any

References 7

  • git.kernel.org https://git.kernel.org/stable/c/5000e40acc8d0c36ab709662e32120986ac22e7e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/75d474702b2ba8b6bcb26eb3004dbc5e95ffd5d2
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/88df604f0d16a692867582350ce3f2fcd22243f1
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/8a95fb9df1105b1618872c2846a6c01e3ba20b45
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b7bf516c3ecd9a2aae2dc2635178ab87b734fef1
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ca831567908fd3f73cf97d8a6c09a5054697a182
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d2c31d8e03d05edc16656e5ffe187f0d1da763d7
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/5000e40acc8d0c36ab709662e32120986ac22e7e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/75d474702b2ba8b6bcb26eb3004dbc5e95ffd5d2
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/88df604f0d16a692867582350ce3f2fcd22243f1
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/8a95fb9df1105b1618872c2846a6c01e3ba20b45
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b7bf516c3ecd9a2aae2dc2635178ab87b734fef1
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ca831567908fd3f73cf97d8a6c09a5054697a182
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d2c31d8e03d05edc16656e5ffe187f0d1da763d7
    Patch