Skip to main content

Linux EUVDEUVD-2026-15384

| CVE-2026-23386 MEDIUM
2026-03-25 Linux GHSA-qq3v-279p-2285
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
5.2 MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
Apr 24, 2026 - 18:52 NVD
5.5 (MEDIUM)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15384
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:28 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

gve: fix incorrect buffer cleanup in gve_tx_clean_pending_packets for QPL

In DQ-QPL mode, gve_tx_clean_pending_packets() incorrectly uses the RDA buffer cleanup path. It iterates num_bufs times and attempts to unmap entries in the dma array.

This leads to two issues:

  1. The dma array shares storage with tx_qpl_buf_ids (union).

Interpreting buffer IDs as DMA addresses results in attempting to unmap incorrect memory locations.

  1. num_bufs in QPL mode (counting 2K chunks) can significantly exceed

the size of the dma array, causing out-of-bounds access warnings (trace below is how we noticed this issue).

UBSAN: array-index-out-of-bounds in drivers/net/ethernet/drivers/net/ethernet/google/gve/gve_tx_dqo.c:178:5 index 18 is out of range for type 'dma_addr_t[18]' (aka 'unsigned long long[18]') Workqueue: gve gve_service_task [gve] Call Trace: <TASK> dump_stack_lvl+0x33/0xa0 __ubsan_handle_out_of_bounds+0xdc/0x110 gve_tx_stop_ring_dqo+0x182/0x200 [gve] gve_close+0x1be/0x450 [gve] gve_reset+0x99/0x120 [gve] gve_service_task+0x61/0x100 [gve] process_scheduled_works+0x1e9/0x380

Fix this by properly checking for QPL mode and delegating to gve_free_tx_qpl_bufs() to reclaim the buffers.

AnalysisAI

A buffer management vulnerability exists in the Linux kernel's Google Virtual Ethernet (GVE) driver within the gve_tx_clean_pending_packets() function when operating in DQ-QPL (Descriptor Queue with Queue Pair Lists) mode. The function incorrectly interprets buffer IDs as DMA addresses and attempts to unmap memory using the wrong cleanup path, causing out-of-bounds array access and potential memory corruption. This affects Linux kernel versions across multiple stable branches and can be triggered during network device reset operations, potentially leading to kernel crashes or memory safety violations.

Technical ContextAI

The vulnerability resides in the Google Virtual Ethernet driver (drivers/net/ethernet/google/gve/gve_tx_dqo.c) within the Linux kernel. The GVE driver supports two buffer management modes: RDA (Registered Data Area) and QPL (Queue Pair Lists). In QPL mode, buffer identifiers and DMA addresses share storage via a union structure (tx_qpl_buf_ids and dma array are aliases). The gve_tx_clean_pending_packets() function fails to check the operational mode and inappropriately uses the RDA cleanup path that calls dma_unmap operations on buffer IDs rather than actual DMA addresses. Additionally, QPL mode counts buffer chunks (2K units), causing num_bufs to exceed the fixed dma array size of 18 entries, triggering UBSAN (Undefined Behavior Sanitizer) out-of-bounds warnings. The root cause is a type confusion issue (CWE-843 or similar union-related misuse) combined with inadequate bounds checking. This affects all Linux kernel CPE entries (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*) across multiple stable branches.

RemediationAI

Update the Linux kernel to a stable version containing one of the referenced patch commits: 71511dae56a75ce161aa746741e5c498feaea393, c171f90f58974c784db25e0606051541cb71b7f0, 07e0c80e17ef781799e7cd5c41a7bf44f1bf6a5f, 3744ebd8ffaa542ae8110fb449adcac0202f4cc8, or fb868db5f4bccd7a78219313ab2917429f715cea. These patches correct the gve_tx_clean_pending_packets() function to properly detect QPL mode and delegate buffer cleanup to gve_free_tx_qpl_bufs() instead of using the RDA unmap path. Apply the updates via your Linux distribution's kernel update mechanism (apt/yum/zypper) and reboot to activate the patched kernel. For systems unable to immediately update, avoid triggering device reset operations (gve interface down/up cycles) on production workloads until patches are applied. Verify patch application by confirming kernel version post-update and checking system logs for absence of UBSAN out-of-bounds warnings. Patches are available via git.kernel.org/stable at the commit hashes provided in the CVE references.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 5.10.251-1 -
bookworm not-affected - -
bookworm (security) fixed 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-15384 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy