Skip to main content

Linux CVE-2026-23459

| EUVDEUVD-2026-18718 HIGH
2026-04-03 Linux
8.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 27, 2026 - 14:22 vuln.today
cvss_changed
CVSS changed
Apr 27, 2026 - 14:22 NVD
8.2 (HIGH)
Patch available
Apr 16, 2026 - 05:29 EUVD
8431c602f551549f082bbfa67f3003f2d8e3e132,0d087d00161f562d5047cc4009bb0c6a19daf9f1
EUVD ID Assigned
Apr 03, 2026 - 15:30 euvd
EUVD-2026-18718
Analysis Generated
Apr 03, 2026 - 15:30 vuln.today
CVE Published
Apr 03, 2026 - 15:15 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ip_tunnel: adapt iptunnel_xmit_stats() to NETDEV_PCPU_STAT_DSTATS

Blamed commits forgot that vxlan/geneve use udp_tunnel[6]_xmit_skb() which call iptunnel_xmit_stats().

iptunnel_xmit_stats() was assuming tunnels were only using NETDEV_PCPU_STAT_TSTATS.

@syncp offset in pcpu_sw_netstats and pcpu_dstats is different.

32bit kernels would either have corruptions or freezes if the syncp sequence was overwritten.

This patch also moves pcpu_stat_type closer to dev->{t,d}stats to avoid a potential cache line miss since iptunnel_xmit_stats() needs to read it.

AnalysisAI

Memory corruption and potential kernel freezes occur in the Linux kernel's IP tunnel implementation when VXLAN or GENEVE tunnels transmit packets, due to incorrect offset calculations in per-CPU statistics tracking on 32-bit systems. The vulnerability arises from iptunnel_xmit_stats() assuming all tunnels use NETDEV_PCPU_STAT_TSTATS, but VXLAN and GENEVE actually use NETDEV_PCPU_STAT_DSTATS with a different memory layout, causing syncp sequence counter overwrites that corrupt statistics or deadlock the kernel. Patch commits are available in the Linux kernel stable tree and address this by adapting the statistics handler and repositioning the pcpu_stat_type field to improve cache efficiency.

Technical ContextAI

The vulnerability exists in the Linux kernel's IP tunnel statistics handling subsystem, specifically in the iptunnel_xmit_stats() function located in net/ipv4/ip_tunnel.c. The issue involves per-CPU network device statistics (pcpu_sw_netstats and pcpu_dstats structures) which have different memory layouts: the syncp (synchronization point) sequence counter offset differs between NETDEV_PCPU_STAT_TSTATS and NETDEV_PCPU_STAT_DSTATS. UDP tunnel implementations (UDP_TUNNEL and UDP_TUNNEL6) used by VXLAN and GENEVE protocols call iptunnel_xmit_stats(), which was coded to only handle the TSTATS variant. On 32-bit kernel architectures, writing statistics to the wrong offset corrupts the syncp field, leading to either data corruption or infinite synchronization loops. The root cause is a type confusion where the statistics handler fails to account for multiple per-CPU statistics layouts introduced by recent kernel changes.

RemediationAI

Apply the Linux kernel patch from the stable tree, specifically commit 0d087d00161f562d5047cc4009bb0c6a19daf9f1 or commit 8431c602f551549f082bbfa67f3003f2d8e3e132, both available at https://git.kernel.org/stable/. The fix adapts iptunnel_xmit_stats() to correctly handle both NETDEV_PCPU_STAT_TSTATS and NETDEV_PCPU_STAT_DSTATS variants by detecting the per-CPU statistics type and applying the correct offset calculation. Users should upgrade to the next patched stable kernel release in their branch (5.10.x, 5.15.x, 6.1.x, or newer, depending on their current version). For immediate mitigation on critical 32-bit systems, disable VXLAN and GENEVE tunnel functionality if not required, or route such traffic through user-space implementations until a patched kernel is available. Verify after patching that tunnel statistics are recorded correctly and that the kernel does not hang during sustained tunnel traffic.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-23459 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy