Skip to main content

Linux EUVDEUVD-2026-15391

| CVE-2026-23390 HIGH
Out-of-bounds Write (CWE-787)
2026-03-25 Linux GHSA-qf3f-hxv9-hpx7
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
5.2 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 24, 2026 - 18:37 vuln.today
cvss_changed
CVSS changed
Apr 24, 2026 - 18:37 NVD
7.8 (HIGH)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15391
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:29 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

tracing/dma: Cap dma_map_sg tracepoint arrays to prevent buffer overflow

The dma_map_sg tracepoint can trigger a perf buffer overflow when tracing large scatter-gather lists. With devices like virtio-gpu creating large DRM buffers, nents can exceed 1000 entries, resulting in:

phys_addrs: 1000 * 8 bytes = 8,000 bytes dma_addrs: 1000 * 8 bytes = 8,000 bytes lengths: 1000 * 4 bytes = 4,000 bytes Total: ~20,000 bytes

This exceeds PERF_MAX_TRACE_SIZE (8192 bytes), causing:

WARNING: CPU: 0 PID: 5497 at kernel/trace/trace_event_perf.c:405 perf buffer not large enough, wanted 24620, have 8192

Cap all three dynamic arrays at 128 entries using min() in the array size calculation. This ensures arrays are only as large as needed (up to the cap), avoiding unnecessary memory allocation for small operations while preventing overflow for large ones.

The tracepoint now records the full nents/ents counts and a truncated flag so users can see when data has been capped.

Changes in v2:

  • Use min(nents, DMA_TRACE_MAX_ENTRIES) for dynamic array sizing

instead of fixed DMA_TRACE_MAX_ENTRIES allocation (feedback from Steven Rostedt)

  • This allocates only what's needed up to the cap, avoiding waste

for small operations

Reviwed-by: Sean Anderson <sean.anderson@linux.dev>

AnalysisAI

A buffer overflow vulnerability exists in the Linux kernel's dma_map_sg tracepoint that can be triggered when tracing large scatter-gather lists, particularly with devices like virtio-gpu that create large DRM buffers exceeding 1000 entries. The vulnerability affects all Linux kernel versions prior to the fix and can cause perf buffer overflow warnings and potential kernel instability when dynamic array allocations exceed PERF_MAX_TRACE_SIZE (8192 bytes). While this is a kernel-level issue requiring local access to trigger tracing functionality, it poses a denial-of-service risk and memory safety concern for systems using performance tracing on workloads with large scatter-gather operations.

Technical ContextAI

The vulnerability resides in the Linux kernel's DMA tracing infrastructure, specifically the dma_map_sg tracepoint implementation used to monitor scatter-gather DMA operations. The root cause is insufficient bounds checking on dynamic array allocations within the tracepoint (CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer). The dma_map_sg tracepoint allocates three dynamic arrays—phys_addrs (8 bytes per entry), dma_addrs (8 bytes per entry), and lengths (4 bytes per entry)—without capping the number of entries. With nents values exceeding 1000, total allocation can reach 20,000 bytes, far exceeding the PERF_MAX_TRACE_SIZE limit of 8192 bytes. The affected products include Linux kernel (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*) across all versions, with virtualization platforms and DRM subsystems being particularly exposed due to large buffer operations.

RemediationAI

Apply kernel patches from the Linux stable branches immediately: commit 02d209bb018a40dee9eac89e91860253dee9605b or later. For major distributions, apply security updates when released through official channels (apt/yum/zypper). For custom kernel builds, rebuild with the applied patch and redeploy. If immediate patching is not feasible, disable kernel tracing (perf, ftrace) via sysctl (kernel.perf_event_paranoid = 3, kernel.trace_syscalls = 0) to eliminate the trigger vector, restrict CAP_SYS_ADMIN capabilities to trusted users only, and monitor system logs for buffer overflow warnings (dmesg | grep 'perf buffer not large enough'). Verify patching via git log --oneline linux-stable | grep -i 'dma_map_sg' or checking kernel version numbers against distribution release notes (https://www.kernel.org/releases.html). No workarounds eliminate risk entirely; patching is the primary solution.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 5.10.251-1 -
bookworm not-affected - -
bookworm (security) fixed 6.1.164-1 -
trixie fixed 6.12.74-1 -
trixie (security) fixed 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.18.13-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-15391 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy