Lifecycle Timeline
4DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
gve: Fix stats report corruption on queue count change
The driver and the NIC share a region in memory for stats reporting. The NIC calculates its offset into this region based on the total size of the stats region and the size of the NIC's stats.
When the number of queues is changed, the driver's stats region is resized. If the queue count is increased, the NIC can write past the end of the allocated stats region, causing memory corruption. If the queue count is decreased, there is a gap between the driver and NIC stats, leading to incorrect stats reporting.
This change fixes the issue by allocating stats region with maximum size, and the offset calculation for NIC stats is changed to match with the calculation of the NIC.
AnalysisAI
A memory corruption vulnerability exists in the Linux kernel's Google Virtual Ethernet (gve) driver where dynamic queue count changes cause misalignment between the driver's stats region and the NIC's offset calculations. When queue counts increase, the NIC can write past the allocated stats region boundary causing heap corruption; when decreased, stats data becomes misaligned. This affects Linux kernel versions across multiple stable branches (as evidenced by patches in 5.10, 5.15, 6.1, 6.6, 6.7, 6.8, and 6.9 series). The vulnerability is not currently listed as actively exploited in KEV, but represents a critical reliability and security issue for systems using Google Cloud Platform infrastructure with the affected gve driver.
Technical ContextAI
The vulnerability resides in the gve (Google Virtual Ethernet) driver (CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*), which manages network communication between guest VMs and the hypervisor in Google Cloud environments. The root cause is a synchronization failure in how the driver and NIC calculate offsets into a shared memory region used for statistics reporting. When the driver resizes its stats allocation due to queue count changes, it does not coordinate this with the NIC's offset calculation logic. This is a classic buffer boundary violation (related to CWE-120: Buffer Copy without Checking Size of Input) where the NIC uses the total stats region size and its own stats structure size to derive an offset, but this calculation becomes invalid when the driver's allocation shrinks or grows without reallocating the maximum possible size upfront. The fix allocates the stats region at maximum capacity regardless of current queue count, ensuring the NIC's offset calculations remain valid.
RemediationAI
Upgrade the Linux kernel to the patched version corresponding to your currently running kernel series: for 5.10.y upgrade to include commit 11f8311f69e4c361717371b4901ff92daeb76e9c or later, for 5.15.y include commit 7b9ebcce0296e104a0d82a6b09d68564806158ff or later, for 6.1.y include commit 9fa0a755db3e1945fe00f73fe27d85ef6c8818b7 or later, and similarly for 6.6, 6.7, 6.8, and 6.9 series. Patch references are available at https://git.kernel.org/stable/c/ followed by the respective commit hash. For immediate remediation on Google Cloud Platform, apply kernel patches via your Linux distribution's package manager (apt, yum, etc.) or compile and deploy patched kernel sources. During the patching window, avoid dynamic queue count scaling operations on affected systems, as these trigger the vulnerability. If queue rebalancing is required prior to patching, schedule brief maintenance windows to minimize exposure. No workarounds exist to fully mitigate the vulnerability without patching.
More in Linux Kernel
View allLinux kernel contains a flaw known as 'Dirty Pipe' where improper pipe buffer flag initialization allows unprivileged lo
The overlayfs implementation in the linux (aka Linux kernel) package before 3.19.0-21.21 in Ubuntu through 15.04 does no
The packet_set_ring function in net/packet/af_packet.c in the Linux kernel through 4.10.6 does not properly validate cer
The check_alu_op function in kernel/bpf/verifier.c in the Linux kernel through 4.4 allows local users to cause a denial
Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. Rated high severity (CVSS 7.0). Public ex
The ovl_setattr function in fs/overlayfs/inode.c in the Linux kernel through 4.3.3 attempts to merge distinct setattr op
The mem_write function in the Linux kernel before 3.2.2, when ASLR is disabled, does not properly check permissions when
The compat_sys_recvmmsg function in net/compat.c in the Linux kernel before 3.13.2, when CONFIG_X86_X32 is enabled, allo
Race condition in net/packet/af_packet.c in the Linux kernel through 4.8.12 allows local users to gain privileges or cau
The join_session_keyring function in security/keys/process_keys.c in the Linux kernel before 4.4.1 mishandles object ref
A remote code execution vulnerability in the Broadcom Wi-Fi firmware could enable a remote attacker to execute arbitrary
It was discovered that the cls_route filter implementation in the Linux kernel would not remove an old filter from the h
Same technique Memory Corruption
View allVendor StatusVendor
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | fixed | 5.10.251-1 | - |
| bullseye (security) | fixed | 5.10.251-1 | - |
| bookworm | fixed | 6.1.164-1 | - |
| bookworm (security) | fixed | 6.1.164-1 | - |
| trixie | fixed | 6.12.73-1 | - |
| trixie (security) | fixed | 6.12.74-2 | - |
| forky | fixed | 6.19.6-2 | - |
| sid | fixed | 6.19.8-1 | - |
| (unstable) | fixed | 6.18.10-1 | - |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12898