CVE-2026-23386

EUVD-2026-15384
In the Linux kernel, the following vulnerability has been resolved:

gve: fix incorrect buffer cleanup in gve_tx_clean_pending_packets for QPL

In DQ-QPL mode, gve_tx_clean_pending_packets() incorrectly uses the RDA
buffer cleanup path. It iterates num_bufs times and attempts to unmap
entries in the dma array.

This leads to two issues:
1. The dma array shares storage with tx_qpl_buf_ids (union).
 Interpreting buffer IDs as DMA addresses results in attempting to
 unmap incorrect memory locations.
2. num_bufs in QPL mode (counting 2K chunks) can significantly exceed
 the size of the dma array, causing out-of-bounds access warnings
(trace below is how we noticed this issue).

UBSAN: array-index-out-of-bounds in
drivers/net/ethernet/drivers/net/ethernet/google/gve/gve_tx_dqo.c:178:5 index 18 is out of
range for type 'dma_addr_t[18]' (aka 'unsigned long long[18]')
Workqueue: gve gve_service_task [gve]
Call Trace:
<TASK>
dump_stack_lvl+0x33/0xa0
__ubsan_handle_out_of_bounds+0xdc/0x110
gve_tx_stop_ring_dqo+0x182/0x200 [gve]
gve_close+0x1be/0x450 [gve]
gve_reset+0x99/0x120 [gve]
gve_service_task+0x61/0x100 [gve]
process_scheduled_works+0x1e9/0x380

Fix this by properly checking for QPL mode and delegating to
gve_free_tx_qpl_bufs() to reclaim the buffers.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 3%
Affected Products (NVD)
VendorProductVersion
linuxlinux_kernel
6.6.1 ≤
𝑥
< 6.6.130
linuxlinux_kernel
6.7 ≤
𝑥
< 6.12.78
linuxlinux_kernel
6.13 ≤
𝑥
< 6.18.17
linuxlinux_kernel
6.19 ≤
𝑥
< 6.19.7
linuxlinux_kernel
6.6
linuxlinux_kernel
7.0:rc1
linuxlinux_kernel
7.0:rc2
linuxlinux_kernel
7.0:rc3
linuxlinux_kernel
7.0:rc4
linuxlinux_kernel
7.0:rc5
linuxlinux_kernel
7.0:rc6
linuxlinux_kernel
7.0:rc7
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
linux
bookworm
6.1.159-1
fixed
bookworm (security)
6.1.170-3
fixed
bullseye
5.10.223-1
fixed
bullseye (security)
5.10.251-4
fixed
forky
7.0.4-1
fixed
sid
7.0.4-1
fixed
trixie
vulnerable
trixie (security)
6.12.86-1
fixed
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
cluster-md-kmp-default
suse enterprise server 12 SP5
4.12.14-122.299.1
fixed
dlm-kmp-default
suse enterprise server 12 SP5
4.12.14-122.299.1
fixed
gfs2-kmp-default
suse enterprise server 12 SP5
4.12.14-122.299.1
fixed
kernel-64kb
suse enterprise desktop 15 SP7
6.4.0-150700.53.37.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.37.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.37.1
fixed
kernel-default
suse enterprise desktop 15 SP7
6.4.0-150700.53.37.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.37.1
fixed
suse enterprise server 12 SP5
4.12.14-122.299.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.37.1
fixed
kernel-default-base
suse enterprise desktop 15 SP7
6.4.0-150700.53.37.1.150700.17.25.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.37.1.150700.17.25.1
fixed
suse enterprise server 12 SP5
4.12.14-122.299.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.37.1.150700.17.25.1
fixed
kernel-default-man
suse enterprise server 12 SP5
4.12.14-122.299.1
fixed
kernel-docs
suse enterprise desktop 15 SP7
6.4.0-150700.53.37.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.37.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.37.1
fixed
kernel-macros
suse enterprise desktop 15 SP7
6.4.0-150700.53.37.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.37.1
fixed
suse enterprise server 12 SP5
4.12.14-122.299.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.37.1
fixed
kernel-obs-build
suse enterprise desktop 15 SP7
6.4.0-150700.53.37.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.37.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.37.1
fixed
kernel-source
suse enterprise desktop 15 SP7
6.4.0-150700.53.37.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.37.1
fixed
suse enterprise server 12 SP5
4.12.14-122.299.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.37.1
fixed
kernel-syms
suse enterprise desktop 15 SP7
6.4.0-150700.53.37.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.37.1
fixed
suse enterprise server 12 SP5
4.12.14-122.299.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.37.1
fixed
kernel-zfcpdump
suse enterprise desktop 15 SP7
6.4.0-150700.53.37.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.37.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.37.1
fixed
ocfs2-kmp-default
suse enterprise server 12 SP5
4.12.14-122.299.1
fixed
References
https://git.kernel.org/stable/c/07e0c80e17ef781799e7cd5c41a7bf44f1bf6a5f
https://git.kernel.org/stable/c/3744ebd8ffaa542ae8110fb449adcac0202f4cc8
https://git.kernel.org/stable/c/71511dae56a75ce161aa746741e5c498feaea393
https://git.kernel.org/stable/c/c171f90f58974c784db25e0606051541cb71b7f0
https://git.kernel.org/stable/c/fb868db5f4bccd7a78219313ab2917429f715cea