Skip to main content

Linux EUVDEUVD-2026-15367

| CVE-2026-23377 MEDIUM
2026-03-25 Linux GHSA-r46f-q3f8-wrrg
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
Apr 24, 2026 - 16:37 NVD
5.5 (MEDIUM)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15367
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:27 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ice: change XDP RxQ frag_size from DMA write length to xdp.frame_sz

The only user of frag_size field in XDP RxQ info is bpf_xdp_frags_increase_tail(). It clearly expects whole buff size instead of DMA write size. Different assumptions in ice driver configuration lead to negative tailroom.

This allows to trigger kernel panic, when using XDP_ADJUST_TAIL_GROW_MULTI_BUFF xskxceiver test and changing packet size to 6912 and the requested offset to a huge value, e.g. XSK_UMEM__MAX_FRAME_SIZE * 100.

Due to other quirks of the ZC configuration in ice, panic is not observed in ZC mode, but tailroom growing still fails when it should not.

Use fill queue buffer truesize instead of DMA write size in XDP RxQ info. Fix ZC mode too by using the new helper.

AnalysisAI

A memory buffer management vulnerability exists in the Linux kernel's ice network driver XDP (eXpress Data Path) implementation, specifically in how it calculates fragment buffer sizes for receive queues. The vulnerability affects Linux kernel versions with the vulnerable ice driver code path and can be triggered through XDP operations that attempt to grow multi-buffer packet tails, potentially causing kernel panics or denial of service. An attacker with the ability to load and execute XDP programs can exploit this by crafting specific packet sizes and offset values to trigger the panic condition, as demonstrated by the XSK_UMEM__MAX_FRAME_SIZE test case, though real-world exploitation requires local access to load XDP programs.

Technical ContextAI

The vulnerability exists in the Intel ice Ethernet driver's XDP receive queue (RxQ) configuration within the Linux kernel (affected CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*). The root cause is a semantic mismatch in the frag_size field used by XDP operations: the ice driver was setting this field to the DMA write length rather than the actual buffer size (xdp.frame_sz). The bpf_xdp_frags_increase_tail() function expects frag_size to represent the entire buffer size to correctly calculate tailroom for multi-buffer XDP packets. When the XDP_ADJUST_TAIL_GROW_MULTI_BUFF operation attempts to grow packet tails, it uses this incorrect frag_size value, resulting in negative tailroom calculations. This is fundamentally a logic error in buffer accounting rather than a memory corruption vulnerability, though it manifests as a denial of service through kernel panic. The fix involves replacing DMA write length with the actual fill queue buffer truesize in both standard and zero-copy (ZC) modes.

RemediationAI

Apply the Linux kernel patches from the stable kernel repository by upgrading to a kernel version that includes commits b0f05100e8795aadd1c0606bae9caefbda070d63 and e142dc4ef0f451b7ef99d09aaa84e9389af629d7. Most Linux distributions will provide these patches through regular security updates to their kernel packages; users should update to the latest stable kernel version available from their distribution. Until patching is possible, restrict XDP program loading capabilities to trusted administrators only by enforcing strict AppArmor or SELinux policies that limit CAP_SYS_RESOURCE and CAP_SYS_ADMIN capabilities. Additionally, disable zero-copy XDP mode if not required, revert to standard packet processing mode, or avoid using XDP_ADJUST_TAIL_GROW_MULTI_BUFF operations until the kernel is patched. Monitor kernel logs for BUG messages related to XDP tail operations as an early warning sign. See upstream kernel patches at https://git.kernel.org/stable/c/b0f05100e8795aadd1c0606bae9caefbda070d63 and https://git.kernel.org/stable/c/e142dc4ef0f451b7ef99d09aaa84e9389af629d7.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 5.10.251-1 -
bookworm not-affected - -
bookworm (security) fixed 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-15367 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy