CVE-2026-23343

EUVD-2026-15310

25.03.2026, 11:16

In the Linux kernel, the following vulnerability has been resolved:

xdp: produce a warning when calculated tailroom is negative

Many ethernet drivers report xdp Rx queue frag size as being the same as
DMA write size. However, the only user of this field, namely
bpf_xdp_frags_increase_tail(), clearly expects a truesize.

Such difference leads to unspecific memory corruption issues under certain
circumstances, e.g. in ixgbevf maximum DMA write size is 3 KB, so when
running xskxceiver's XDP_ADJUST_TAIL_GROW_MULTI_BUFF, 6K packet fully uses
all DMA-writable space in 2 buffers. This would be fine, if only
rxq->frag_size was properly set to 4K, but value of 3K results in a
negative tailroom, because there is a non-zero page offset.

We are supposed to return -EINVAL and be done with it in such case, but due
to tailroom being stored as an unsigned int, it is reported to be somewhere
near UINT_MAX, resulting in a tail being grown, even if the requested
offset is too much (it is around 2K in the abovementioned test). This later
leads to all kinds of unspecific calltraces.

[ 7340.337579] xskxceiver[1440]: segfault at 1da718 ip 00007f4161aeac9d sp 00007f41615a6a00 error 6
[ 7340.338040] xskxceiver[1441]: segfault at 7f410000000b ip 00000000004042b5 sp 00007f415bffecf0 error 4
[ 7340.338179]  in libc.so.6[61c9d,7f4161aaf000+160000]
[ 7340.339230]  in xskxceiver[42b5,400000+69000]
[ 7340.340300]  likely on CPU 6 (core 0, socket 6)
[ 7340.340302] Code: ff ff 01 e9 f4 fe ff ff 0f 1f 44 00 00 4c 39 f0 74 73 31 c0 ba 01 00 00 00 f0 0f b1 17 0f 85 ba 00 00 00 49 8b 87 88 00 00 00 <4c> 89 70 08 eb cc 0f 1f 44 00 00 48 8d bd f0 fe ff ff 89 85 ec fe
[ 7340.340888]  likely on CPU 3 (core 0, socket 3)
[ 7340.345088] Code: 00 00 00 ba 00 00 00 00 be 00 00 00 00 89 c7 e8 31 ca ff ff 89 45 ec 8b 45 ec 85 c0 78 07 b8 00 00 00 00 eb 46 e8 0b c8 ff ff <8b> 00 83 f8 69 74 24 e8 ff c7 ff ff 8b 00 83 f8 0b 74 18 e8 f3 c7
[ 7340.404334] Oops: general protection fault, probably for non-canonical address 0x6d255010bdffc: 0000 [#1] SMP NOPTI
[ 7340.405972] CPU: 7 UID: 0 PID: 1439 Comm: xskxceiver Not tainted 6.19.0-rc1+ #21 PREEMPT(lazy)
[ 7340.408006] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-5.fc42 04/01/2014
[ 7340.409716] RIP: 0010:lookup_swap_cgroup_id+0x44/0x80
[ 7340.410455] Code: 83 f8 1c 73 39 48 ba ff ff ff ff ff ff ff 03 48 8b 04 c5 20 55 fa bd 48 21 d1 48 89 ca 83 e1 01 48 d1 ea c1 e1 04 48 8d 04 90 <8b> 00 48 83 c4 10 d3 e8 c3 cc cc cc cc 31 c0 e9 98 b7 dd 00 48 89
[ 7340.412787] RSP: 0018:ffffcc5c04f7f6d0 EFLAGS: 00010202
[ 7340.413494] RAX: 0006d255010bdffc RBX: ffff891f477895a8 RCX: 0000000000000010
[ 7340.414431] RDX: 0001c17e3fffffff RSI: 00fa070000000000 RDI: 000382fc7fffffff
[ 7340.415354] RBP: 00fa070000000000 R08: ffffcc5c04f7f8f8 R09: ffffcc5c04f7f7d0
[ 7340.416283] R10: ffff891f4c1a7000 R11: ffffcc5c04f7f9c8 R12: ffffcc5c04f7f7d0
[ 7340.417218] R13: 03ffffffffffffff R14: 00fa06fffffffe00 R15: ffff891f47789500
[ 7340.418229] FS:  0000000000000000(0000) GS:ffff891ffdfaa000(0000) knlGS:0000000000000000
[ 7340.419489] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 7340.420286] CR2: 00007f415bfffd58 CR3: 0000000103f03002 CR4: 0000000000772ef0
[ 7340.421237] PKRU: 55555554
[ 7340.421623] Call Trace:
[ 7340.421987]  <TASK>
[ 7340.422309]  ? softleaf_from_pte+0x77/0xa0
[ 7340.422855]  swap_pte_batch+0xa7/0x290
[ 7340.423363]  zap_nonpresent_ptes.constprop.0.isra.0+0xd1/0x270
[ 7340.424102]  zap_pte_range+0x281/0x580
[ 7340.424607]  zap_pmd_range.isra.0+0xc9/0x240
[ 7340.425177]  unmap_page_range+0x24d/0x420
[ 7340.425714]  unmap_vmas+0xa1/0x180
[ 7340.426185]  exit_mmap+0xe1/0x3b0
[ 7340.426644]  __mmput+0x41/0x150
[ 7340.427098]  exit_mm+0xb1/0x110
[ 7340.427539]  do_exit+0x1b2/0x460
[ 7340.427992]  do_group_exit+0x2d/0xc0
[ 7340.428477]  get_signal+0x79d/0x7e0
[ 7340.428957]  arch_do_signal_or_restart+0x34/0x100
[ 7340.429571]  exit_to_user_mode_loop+0x8e/0x4c0
[ 7340.430159]  do_syscall_64+0x188/
---truncated---

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 2%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	5.18.1 ≤ 𝑥 < 6.1.167
linux	linux_kernel	6.2 ≤ 𝑥 < 6.6.130
linux	linux_kernel	6.7 ≤ 𝑥 < 6.12.77
linux	linux_kernel	6.13 ≤ 𝑥 < 6.18.17
linux	linux_kernel	6.19 ≤ 𝑥 < 6.19.7
linux	linux_kernel	5.18
linux	linux_kernel	7.0:rc1
linux	linux_kernel	7.0:rc2
linux	linux_kernel	7.0:rc3
linux	linux_kernel	7.0:rc4
linux	linux_kernel	7.0:rc5
linux	linux_kernel	7.0:rc6
linux	linux_kernel	7.0:rc7

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.170-3 fixed
bookworm (security)	6.1.174-1 fixed
bullseye	5.10.223-1 fixed
bullseye (security)	5.10.257-1 fixed
forky	7.0.12-2 fixed
sid	7.0.13-1 fixed
trixie	6.12.86-1 fixed
trixie (security)	6.12.94-1 fixed

linux-6.1

bullseye (security)

6.1.174-1~deb11u1

fixed

openSUSE / SLES Releases

openSUSE Product

Release

kernel-64kb

suse enterprise desktop 15 SP7	6.4.0-150700.53.55.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.55.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.55.1 fixed

kernel-default

suse enterprise desktop 15 SP7	6.4.0-150700.53.55.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.55.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.55.1 fixed

kernel-default-base

suse enterprise desktop 15 SP7	6.4.0-150700.53.55.1.150700.17.33.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.55.1.150700.17.33.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.55.1.150700.17.33.1 fixed

kernel-obs-build

suse enterprise desktop 15 SP7	6.4.0-150700.53.55.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.55.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.55.1 fixed

kernel-source

suse enterprise desktop 15 SP7	6.4.0-150700.53.55.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.55.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.55.1 fixed

kernel-zfcpdump

suse enterprise desktop 15 SP7	6.4.0-150700.53.55.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.55.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.55.1 fixed

Amazon Linux Releases

Amazon Package

Release

bpftool

Amazon Linux 2023

1:6.1.168-202.320.amzn2023

fixed

bpftool-debuginfo

Amazon Linux 2023

1:6.1.168-202.320.amzn2023

fixed

bpftool6.12

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

bpftool6.12-debuginfo

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

bpftool6.18

Amazon Linux 2023

1:6.18.20-20.229.amzn2023

fixed

bpftool6.18-debuginfo

Amazon Linux 2023

1:6.18.20-20.229.amzn2023

fixed

kernel

Amazon Linux 2023

1:6.1.168-202.320.amzn2023

fixed

kernel-debuginfo

Amazon Linux 2023

1:6.1.168-202.320.amzn2023

fixed

kernel-debuginfo-common-aarch64

Amazon Linux 2023

1:6.1.168-202.320.amzn2023

fixed

kernel-debuginfo-common-x86_64

Amazon Linux 2023

1:6.1.168-202.320.amzn2023

fixed

kernel-devel

Amazon Linux 2023

1:6.1.168-202.320.amzn2023

fixed

kernel-headers

Amazon Linux 2023

1:6.1.168-202.320.amzn2023

fixed

kernel-libbpf

Amazon Linux 2023

1:6.1.168-202.320.amzn2023

fixed

kernel-libbpf-debuginfo

Amazon Linux 2023

1:6.1.168-202.320.amzn2023

fixed

kernel-libbpf-devel

Amazon Linux 2023

1:6.1.168-202.320.amzn2023

fixed

kernel-libbpf-static

Amazon Linux 2023

1:6.1.168-202.320.amzn2023

fixed

kernel-livepatch-6.1.168-202.320

Amazon Linux 2023

1:1.0-0.amzn2023

fixed

kernel-livepatch-6.12.77-99.140

Amazon Linux 2023

1:1.0-0.amzn2023

fixed

kernel-livepatch-6.18.20-20.229

Amazon Linux 2023

1:1.0-0.amzn2023

fixed

kernel-modules-extra

Amazon Linux 2023

1:6.1.168-202.320.amzn2023

fixed

kernel-modules-extra-common

Amazon Linux 2023

1:6.1.168-202.320.amzn2023

fixed

kernel-tools

Amazon Linux 2023

1:6.1.168-202.320.amzn2023

fixed

kernel-tools-debuginfo

Amazon Linux 2023

1:6.1.168-202.320.amzn2023

fixed

kernel-tools-devel

Amazon Linux 2023

1:6.1.168-202.320.amzn2023

fixed

kernel6.12

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

kernel6.12-debuginfo

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

kernel6.12-debuginfo-common-aarch64

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

kernel6.12-debuginfo-common-x86_64

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

kernel6.12-devel

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

kernel6.12-headers

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

kernel6.12-libbpf

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

kernel6.12-libbpf-debuginfo

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

kernel6.12-libbpf-devel

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

kernel6.12-libbpf-static

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

kernel6.12-modules-extra

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

kernel6.12-modules-extra-common

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

kernel6.12-tools

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

kernel6.12-tools-debuginfo

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

kernel6.12-tools-devel

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

kernel6.18

Amazon Linux 2023

1:6.18.20-20.229.amzn2023

fixed

kernel6.18-debuginfo

Amazon Linux 2023

1:6.18.20-20.229.amzn2023

fixed

kernel6.18-debuginfo-common-aarch64

Amazon Linux 2023

1:6.18.20-20.229.amzn2023

fixed

kernel6.18-debuginfo-common-x86_64

Amazon Linux 2023

1:6.18.20-20.229.amzn2023

fixed

kernel6.18-devel

Amazon Linux 2023

1:6.18.20-20.229.amzn2023

fixed

kernel6.18-headers

Amazon Linux 2023

1:6.18.20-20.229.amzn2023

fixed

kernel6.18-libbpf

Amazon Linux 2023

1:6.18.20-20.229.amzn2023

fixed

kernel6.18-libbpf-debuginfo

Amazon Linux 2023

1:6.18.20-20.229.amzn2023

fixed

kernel6.18-libbpf-devel

Amazon Linux 2023

1:6.18.20-20.229.amzn2023

fixed

kernel6.18-libbpf-static

Amazon Linux 2023

1:6.18.20-20.229.amzn2023

fixed

kernel6.18-modules-extra

Amazon Linux 2023

1:6.18.20-20.229.amzn2023

fixed

kernel6.18-modules-extra-common

Amazon Linux 2023

1:6.18.20-20.229.amzn2023

fixed

kernel6.18-tools

Amazon Linux 2023

1:6.18.20-20.229.amzn2023

fixed

kernel6.18-tools-debuginfo

Amazon Linux 2023

1:6.18.20-20.229.amzn2023

fixed

kernel6.18-tools-devel

Amazon Linux 2023

1:6.18.20-20.229.amzn2023

fixed

perf

Amazon Linux 2023

1:6.1.168-202.320.amzn2023

fixed

perf-debuginfo

Amazon Linux 2023

1:6.1.168-202.320.amzn2023

fixed

perf6.12

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

perf6.12-debuginfo

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

perf6.18

Amazon Linux 2023

1:6.18.20-20.229.amzn2023

fixed

perf6.18-debuginfo

Amazon Linux 2023

1:6.18.20-20.229.amzn2023

fixed

python3-perf

Amazon Linux 2023

1:6.1.168-202.320.amzn2023

fixed

python3-perf-debuginfo

Amazon Linux 2023

1:6.1.168-202.320.amzn2023

fixed

python3-perf6.12

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

python3-perf6.12-debuginfo

Amazon Linux 2023

1:6.12.77-99.140.amzn2023

fixed

python3-perf6.18

Amazon Linux 2023

1:6.18.20-20.229.amzn2023

fixed

python3-perf6.18-debuginfo

Amazon Linux 2023

1:6.18.20-20.229.amzn2023

fixed

Azure Linux Releases

Azure Package

Release

kernel

Azure Linux 3.0

0:6.6.130.1-1.azl3

fixed

Common Weakness Enumeration

CWE-787 - Out-of-bounds Write
The software writes data past the end, or before the beginning, of the intended buffer.

References

https://git.kernel.org/stable/c/01379540452a02bbc52f639d45dd365cd3624efb

https://git.kernel.org/stable/c/8821e857759be9db3cde337ad328b71fe5c8a55f

https://git.kernel.org/stable/c/94b9da7e9f958cb3d115b21eff824ecd8c3217aa

https://git.kernel.org/stable/c/98cd8b4d0b836d3edf70161f40efd9cbb8c8f252

https://git.kernel.org/stable/c/a0fb59f527d03c60b2cd547cfae4a842ad84670f

https://git.kernel.org/stable/c/c7c790a07697148c41e2d03eb28efe132adda749