{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23359", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.000Z", "datePublished": "2026-03-25T10:27:43.070Z", "dateUpdated": "2026-05-11T22:05:20.650Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:05:20.650Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix stack-out-of-bounds write in devmap\n\nget_upper_ifindexes() iterates over all upper devices and writes their\nindices into an array without checking bounds.\n\nAlso the callers assume that the max number of upper devices is\nMAX_NEST_DEV and allocate excluded_devices[1+MAX_NEST_DEV] on the stack,\nbut that assumption is not correct and the number of upper devices could\nbe larger than MAX_NEST_DEV (e.g., many macvlans), causing a\nstack-out-of-bounds write.\n\nAdd a max parameter to get_upper_ifindexes() to avoid the issue.\nWhen there are too many upper devices, return -EOVERFLOW and abort the\nredirect.\n\nTo reproduce, create more than MAX_NEST_DEV(8) macvlans on a device with\nan XDP program attached using BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS.\nThen send a packet to the device to trigger the XDP redirect path."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/bpf/devmap.c"], "versions": [{"version": "aeea1b86f9363f3feabb496534d886f082a89f21", "lessThan": "88df604f0d16a692867582350ce3f2fcd22243f1", "status": "affected", "versionType": "git"}, {"version": "aeea1b86f9363f3feabb496534d886f082a89f21", "lessThan": "5000e40acc8d0c36ab709662e32120986ac22e7e", "status": "affected", "versionType": "git"}, {"version": "aeea1b86f9363f3feabb496534d886f082a89f21", "lessThan": "8a95fb9df1105b1618872c2846a6c01e3ba20b45", "status": "affected", "versionType": "git"}, {"version": "aeea1b86f9363f3feabb496534d886f082a89f21", "lessThan": "d2c31d8e03d05edc16656e5ffe187f0d1da763d7", "status": "affected", "versionType": "git"}, {"version": "aeea1b86f9363f3feabb496534d886f082a89f21", "lessThan": "75d474702b2ba8b6bcb26eb3004dbc5e95ffd5d2", "status": "affected", "versionType": "git"}, {"version": "aeea1b86f9363f3feabb496534d886f082a89f21", "lessThan": "ca831567908fd3f73cf97d8a6c09a5054697a182", "status": "affected", "versionType": "git"}, {"version": "aeea1b86f9363f3feabb496534d886f082a89f21", "lessThan": "b7bf516c3ecd9a2aae2dc2635178ab87b734fef1", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/bpf/devmap.c"], "versions": [{"version": "5.15", "status": "affected"}, {"version": "0", "lessThan": "5.15", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/88df604f0d16a692867582350ce3f2fcd22243f1"}, {"url": "https://git.kernel.org/stable/c/5000e40acc8d0c36ab709662e32120986ac22e7e"}, {"url": "https://git.kernel.org/stable/c/8a95fb9df1105b1618872c2846a6c01e3ba20b45"}, {"url": "https://git.kernel.org/stable/c/d2c31d8e03d05edc16656e5ffe187f0d1da763d7"}, {"url": "https://git.kernel.org/stable/c/75d474702b2ba8b6bcb26eb3004dbc5e95ffd5d2"}, {"url": "https://git.kernel.org/stable/c/ca831567908fd3f73cf97d8a6c09a5054697a182"}, {"url": "https://git.kernel.org/stable/c/b7bf516c3ecd9a2aae2dc2635178ab87b734fef1"}], "title": "bpf: Fix stack-out-of-bounds write in devmap", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "179D712B-1C4F-4D1C-A8A4-74C05BD9A4A6", "versionEndExcluding": "5.15.203", "versionStartIncluding": "5.15.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "2EDC6BAF-B710-4E26-B6AA-D68922EE7B43", "versionEndExcluding": "6.1.167", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C57BB918-DF28-46B3-94F7-144176841267", "versionEndExcluding": "6.6.130", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "B3D12E00-E42D-4056-B354-BAD4903C03A5", "versionEndExcluding": "6.12.77", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A5E006E4-59C7-43C1-9231-62A72219F2BA", "versionEndExcluding": "6.18.17", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "69245D10-0B71-485E-80C3-A64F077004D3", "versionEndExcluding": "6.19.7", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.15:-:*:*:*:*:*:*", "matchCriteriaId": "40D9C0D1-0F32-4A2B-9840-1072F5497540", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix stack-out-of-bounds write in devmap\n\nget_upper_ifindexes() iterates over all upper devices and writes their\nindices into an array without checking bounds.\n\nAlso the callers assume that the max number of upper devices is\nMAX_NEST_DEV and allocate excluded_devices[1+MAX_NEST_DEV] on the stack,\nbut that assumption is not correct and the number of upper devices could\nbe larger than MAX_NEST_DEV (e.g., many macvlans), causing a\nstack-out-of-bounds write.\n\nAdd a max parameter to get_upper_ifindexes() to avoid the issue.\nWhen there are too many upper devices, return -EOVERFLOW and abort the\nredirect.\n\nTo reproduce, create more than MAX_NEST_DEV(8) macvlans on a device with\nan XDP program attached using BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS.\nThen send a packet to the device to trigger the XDP redirect path."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nbpf: Correcci\u00f3n de escritura fuera de l\u00edmites de la pila en devmap\n\nget_upper_ifindexes() itera sobre todos los dispositivos superiores y escribe sus \u00edndices en un array sin comprobar los l\u00edmites.\n\nAdem\u00e1s, los llamadores asumen que el n\u00famero m\u00e1ximo de dispositivos superiores es MAX_NEST_DEV y asignan excluded_devices[1+MAX_NEST_DEV] en la pila, pero esa suposici\u00f3n no es correcta y el n\u00famero de dispositivos superiores podr\u00eda ser mayor que MAX_NEST_DEV (por ejemplo, muchas macvlans), causando una escritura fuera de l\u00edmites de la pila.\n\nA\u00f1adir un par\u00e1metro max a get_upper_ifindexes() para evitar el problema.\nCuando hay demasiados dispositivos superiores, devolver -EOVERFLOW y abortar la redirecci\u00f3n.\n\nPara reproducir, crear m\u00e1s de MAX_NEST_DEV(8) macvlans en un dispositivo con un programa XDP adjunto usando BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS.\nLuego enviar un paquete al dispositivo para activar la ruta de redirecci\u00f3n XDP."}], "id": "CVE-2026-23359", "lastModified": "2026-04-24T19:02:43.677", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-25T11:16:34.740", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5000e40acc8d0c36ab709662e32120986ac22e7e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/75d474702b2ba8b6bcb26eb3004dbc5e95ffd5d2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/88df604f0d16a692867582350ce3f2fcd22243f1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/8a95fb9df1105b1618872c2846a6c01e3ba20b45"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b7bf516c3ecd9a2aae2dc2635178ab87b734fef1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ca831567908fd3f73cf97d8a6c09a5054697a182"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d2c31d8e03d05edc16656e5ffe187f0d1da763d7"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: bpf: Fix stack-out-of-bounds write in devmap", "id": "2451202", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451202"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-787", "details": ["A flaw was found in the Linux kernel. The `get_upper_ifindexes()` function, which collects network device indices, fails to check array boundaries when writing these indices. This allows a local attacker to create a large number of virtual network interfaces (macvlans), causing a stack-out-of-bounds write. The consequence is a denial of service (DoS), as the system aborts network packet redirection, affecting network availability."], "name": "CVE-2026-23359", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23359\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23359\nhttps://lore.kernel.org/linux-cve-announce/2026032538-CVE-2026-23359-35fd@gregkh/T"], "statement": "This flaw affects systems using XDP (eXpress Data Path) with BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS on devices with many upper interfaces (>8 macvlans). The stack buffer overflow occurs because MAX_NEST_DEV assumption doesn't hold for all configurations. Requires ability to create many macvlan interfaces and attach XDP programs.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[aeea1b86f9363f3feabb496534d886f082a89f21,5000e40acc8d0c36ab709662e32120986ac22e7e)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[aeea1b86f9363f3feabb496534d886f082a89f21,8a95fb9df1105b1618872c2846a6c01e3ba20b45)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[aeea1b86f9363f3feabb496534d886f082a89f21,d2c31d8e03d05edc16656e5ffe187f0d1da763d7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[aeea1b86f9363f3feabb496534d886f082a89f21,75d474702b2ba8b6bcb26eb3004dbc5e95ffd5d2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[aeea1b86f9363f3feabb496534d886f082a89f21,ca831567908fd3f73cf97d8a6c09a5054697a182)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[aeea1b86f9363f3feabb496534d886f082a89f21,b7bf516c3ecd9a2aae2dc2635178ab87b734fef1)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "5.15"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,5.15)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.167,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.77,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.17,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.7,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc2,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T09:15:19.565089+00:00", "value": {"mitigation_remediation": ["Apply a kernel update that includes the patch commit released on 2026\u201103\u201125", "If a kernel upgrade is not immediately possible, restrict the use of XDP programs with the BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS flags on devices that may host many macVLANs, thereby preventing the out\u2011of\u2011bounds write from being triggered", "Continuously monitor system logs for XDP failures or kernel panics that may indicate exploitation attempts"], "summary": {"action": "Immediate Patch", "impact": "Memory corruption due to stack\u2011out\u2011of\u2011bounds write in BPF device mapping"}, "threat_synthesis": {"affected_systems": "Affected systems include any Linux kernel builds that contain the unpatched implementation of get_upper_ifindexes() and its callers. The specific kernel versions are not enumerated in the advisory, so all kernels upstream of the fix commit are considered vulnerable. The CVE references Linux:Linux for the affected vendor and product. The assumption that the vulnerability only applies to kernels with XDP programs attached to devices that host many macVLANs is inferred from the reproduction steps; however, any system capable of creating such a configuration would be at risk.", "description_and_impact": "The Linux kernel function get_upper_ifindexes() writes indices of upper network devices into an array without enforcing a boundary check. Callers assume the number of upper devices never exceeds the maximum, MAX_NEST_DEV, and allocate an array of size 1+MAX_NEST_DEV on the stack. In practice, the count can be larger\u2014especially with many virtual interfaces such as macVLANs\u2014leading to a stack\u2011out\u2011of\u2011bounds write. Based on the description, this memory corruption could destabilize the kernel or lead to privilege escalation if an attacker can influence the redirect path of an XDP program. The likely attack vector involves a local or privileged user loading a BPF program that uses the BPF_F_BROADCAST and BPF_F_EXCLUDE_INGRESS flags on a device with many upper interfaces, then sending traffic to trigger the faulty redirect logic.", "risk_and_exploitability": "The CVSS score of 7.8 reflects high severity, while the EPSS score of less than 1\u202f% suggests a low probability of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely exploitation scenario requires the attacker to have the ability to load a BPF program with specific flags and to configure a device with more than eight upper interfaces; this indicates a local or privileged attack surface rather than a remote vector. The attack can lead to a denial of service by crashing the kernel or, in a more advanced scenario, to privilege escalation through kernel memory corruption."}}}}, "created": "2026-03-25T21:31:56.609205+00:00", "updated": "2026-04-28T09:30:26.194065+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}