CVE-2026-23359
Published: Mar 25, 2026
Modified: May 11, 2026
Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix stack-out-of-bounds write in devmap get_upper_ifindexes() iterates over all upper devices and writes their indices into an array without checking bounds. Also the callers assume that the max number of upper devices is MAX_NEST_DEV and allocate excluded_devices[1+MAX_NEST_DEV] on the stack, but that assumption is not correct and the number of upper devices could be larger than MAX_NEST_DEV (e.g., many macvlans), causing a stack-out-of-bounds write. Add a max parameter to get_upper_ifindexes() to avoid the issue. When there are too many upper devices, return -EOVERFLOW and abort the redirect. To reproduce, create more than MAX_NEST_DEV(8) macvlans on a device with an XDP program attached using BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS. Then send a packet to the device to trigger the XDP redirect path.
| Vendor | Product | Versions |
|---|---|---|
Linux | Linux | affected aeea1b86f9363f3feabb496534d886f082a89f21 - < 88df604f0d16a692867582350ce3f2fcd22243f1affected aeea1b86f9363f3feabb496534d886f082a89f21 - < 5000e40acc8d0c36ab709662e32120986ac22e7eaffected aeea1b86f9363f3feabb496534d886f082a89f21 - < 8a95fb9df1105b1618872c2846a6c01e3ba20b45affected aeea1b86f9363f3feabb496534d886f082a89f21 - < d2c31d8e03d05edc16656e5ffe187f0d1da763d7affected aeea1b86f9363f3feabb496534d886f082a89f21 - < 75d474702b2ba8b6bcb26eb3004dbc5e95ffd5d2+2 more versions |
Linux | Linux | affected 5.15unaffected 0 - < 5.15unaffected 5.15.203 - <= 5.15.*unaffected 6.1.167 - <= 6.1.*unaffected 6.6.130 - <= 6.6.*+4 more versions |
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now