{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23386", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.008Z", "datePublished": "2026-03-25T10:28:04.118Z", "dateUpdated": "2026-05-11T22:05:52.379Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:05:52.379Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngve: fix incorrect buffer cleanup in gve_tx_clean_pending_packets for QPL\n\nIn DQ-QPL mode, gve_tx_clean_pending_packets() incorrectly uses the RDA\nbuffer cleanup path. It iterates num_bufs times and attempts to unmap\nentries in the dma array.\n\nThis leads to two issues:\n1. The dma array shares storage with tx_qpl_buf_ids (union).\n Interpreting buffer IDs as DMA addresses results in attempting to\n unmap incorrect memory locations.\n2. num_bufs in QPL mode (counting 2K chunks) can significantly exceed\n the size of the dma array, causing out-of-bounds access warnings\n(trace below is how we noticed this issue).\n\nUBSAN: array-index-out-of-bounds in\ndrivers/net/ethernet/drivers/net/ethernet/google/gve/gve_tx_dqo.c:178:5 index 18 is out of\nrange for type 'dma_addr_t[18]' (aka 'unsigned long long[18]')\nWorkqueue: gve gve_service_task [gve]\nCall Trace:\n<TASK>\ndump_stack_lvl+0x33/0xa0\n__ubsan_handle_out_of_bounds+0xdc/0x110\ngve_tx_stop_ring_dqo+0x182/0x200 [gve]\ngve_close+0x1be/0x450 [gve]\ngve_reset+0x99/0x120 [gve]\ngve_service_task+0x61/0x100 [gve]\nprocess_scheduled_works+0x1e9/0x380\n\nFix this by properly checking for QPL mode and delegating to\ngve_free_tx_qpl_bufs() to reclaim the buffers."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/google/gve/gve_tx_dqo.c"], "versions": [{"version": "a6fb8d5a8b6925f1e635818d3dd2d89531d4a058", "lessThan": "71511dae56a75ce161aa746741e5c498feaea393", "status": "affected", "versionType": "git"}, {"version": "a6fb8d5a8b6925f1e635818d3dd2d89531d4a058", "lessThan": "c171f90f58974c784db25e0606051541cb71b7f0", "status": "affected", "versionType": "git"}, {"version": "a6fb8d5a8b6925f1e635818d3dd2d89531d4a058", "lessThan": "07e0c80e17ef781799e7cd5c41a7bf44f1bf6a5f", "status": "affected", "versionType": "git"}, {"version": "a6fb8d5a8b6925f1e635818d3dd2d89531d4a058", "lessThan": "3744ebd8ffaa542ae8110fb449adcac0202f4cc8", "status": "affected", "versionType": "git"}, {"version": "a6fb8d5a8b6925f1e635818d3dd2d89531d4a058", "lessThan": "fb868db5f4bccd7a78219313ab2917429f715cea", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/google/gve/gve_tx_dqo.c"], "versions": [{"version": "6.6", "status": "affected"}, {"version": "0", "lessThan": "6.6", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.78", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6", "versionEndExcluding": "6.12.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/71511dae56a75ce161aa746741e5c498feaea393"}, {"url": "https://git.kernel.org/stable/c/c171f90f58974c784db25e0606051541cb71b7f0"}, {"url": "https://git.kernel.org/stable/c/07e0c80e17ef781799e7cd5c41a7bf44f1bf6a5f"}, {"url": "https://git.kernel.org/stable/c/3744ebd8ffaa542ae8110fb449adcac0202f4cc8"}, {"url": "https://git.kernel.org/stable/c/fb868db5f4bccd7a78219313ab2917429f715cea"}], "title": "gve: fix incorrect buffer cleanup in gve_tx_clean_pending_packets for QPL", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "CB6BFE31-498D-448D-B98D-49F04FE89110", "versionEndExcluding": "6.6.130", "versionStartIncluding": "6.6.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "28D591F5-B196-4CC9-905C-DC80F116E7A8", "versionEndExcluding": "6.12.78", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A5E006E4-59C7-43C1-9231-62A72219F2BA", "versionEndExcluding": "6.18.17", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "69245D10-0B71-485E-80C3-A64F077004D3", "versionEndExcluding": "6.19.7", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.6:-:*:*:*:*:*:*", "matchCriteriaId": "E346B162-D566-4E62-ABDE-ECBFB21B8BFD", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngve: fix incorrect buffer cleanup in gve_tx_clean_pending_packets for QPL\n\nIn DQ-QPL mode, gve_tx_clean_pending_packets() incorrectly uses the RDA\nbuffer cleanup path. It iterates num_bufs times and attempts to unmap\nentries in the dma array.\n\nThis leads to two issues:\n1. The dma array shares storage with tx_qpl_buf_ids (union).\n Interpreting buffer IDs as DMA addresses results in attempting to\n unmap incorrect memory locations.\n2. num_bufs in QPL mode (counting 2K chunks) can significantly exceed\n the size of the dma array, causing out-of-bounds access warnings\n(trace below is how we noticed this issue).\n\nUBSAN: array-index-out-of-bounds in\ndrivers/net/ethernet/drivers/net/ethernet/google/gve/gve_tx_dqo.c:178:5 index 18 is out of\nrange for type 'dma_addr_t[18]' (aka 'unsigned long long[18]')\nWorkqueue: gve gve_service_task [gve]\nCall Trace:\n<TASK>\ndump_stack_lvl+0x33/0xa0\n__ubsan_handle_out_of_bounds+0xdc/0x110\ngve_tx_stop_ring_dqo+0x182/0x200 [gve]\ngve_close+0x1be/0x450 [gve]\ngve_reset+0x99/0x120 [gve]\ngve_service_task+0x61/0x100 [gve]\nprocess_scheduled_works+0x1e9/0x380\n\nFix this by properly checking for QPL mode and delegating to\ngve_free_tx_qpl_bufs() to reclaim the buffers."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\ngve: corrige la limpieza incorrecta del b\u00fafer en gve_tx_clean_pending_packets para QPL\n\nEn el modo DQ-QPL, gve_tx_clean_pending_packets() utiliza incorrectamente la ruta de limpieza del b\u00fafer RDA. Itera num_bufs veces e intenta desmapear entradas en el array dma.\n\nEsto conduce a dos problemas:\n1. El array dma comparte almacenamiento con tx_qpl_buf_ids (uni\u00f3n).\n Interpretar los IDs de b\u00fafer como direcciones DMA resulta en el intento de desmapear ubicaciones de memoria incorrectas.\n2. num_bufs en modo QPL (contando bloques de 2K) puede exceder significativamente el tama\u00f1o del array dma, causando advertencias de acceso fuera de l\u00edmites (el rastro a continuaci\u00f3n es c\u00f3mo notamos este problema).\n\nUBSAN: \u00edndice de array fuera de l\u00edmites en\ndrivers/net/ethernet/drivers/net/ethernet/google/gve/gve_tx_dqo.c:178:5 el \u00edndice 18 est\u00e1 fuera de\nrango para el tipo 'dma_addr_t[18]' (tambi\u00e9n conocido como 'unsigned long long[18]')\nCola de trabajo: gve gve_service_task [gve]\nRastro de Llamada:\n\ndump_stack_lvl+0x33/0xa0\n__ubsan_handle_out_of_bounds+0xdc/0x110\ngve_tx_stop_ring_dqo+0x182/0x200 [gve]\ngve_close+0x1be/0x450 [gve]\ngve_reset+0x99/0x120 [gve]\ngve_service_task+0x61/0x100 [gve]\nprocess_scheduled_works+0x1e9/0x380\n\nSoluciona esto verificando correctamente el modo QPL y delegando a gve_free_tx_qpl_bufs() para reclamar los b\u00faferes."}], "id": "CVE-2026-23386", "lastModified": "2026-04-24T18:44:53.623", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-25T11:16:38.960", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/07e0c80e17ef781799e7cd5c41a7bf44f1bf6a5f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3744ebd8ffaa542ae8110fb449adcac0202f4cc8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/71511dae56a75ce161aa746741e5c498feaea393"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/c171f90f58974c784db25e0606051541cb71b7f0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/fb868db5f4bccd7a78219313ab2917429f715cea"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: gve: fix incorrect buffer cleanup in gve_tx_clean_pending_packets for QPL", "id": "2451273", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451273"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-1285", "details": ["A flaw was found in the Linux kernel, specifically within the gve network driver. When the driver operates in DQ-QPL (Data Queue - Queue Pair List) mode, the gve_tx_clean_pending_packets() function incorrectly processes buffer cleanup. This error can cause the system to attempt to unmap memory at incorrect locations and access memory outside of allocated bounds, potentially leading to system instability or a denial of service."], "name": "CVE-2026-23386", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23386\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23386\nhttps://lore.kernel.org/linux-cve-announce/2026032544-CVE-2026-23386-acc4@gregkh/T"], "statement": "This flaw affects Google Cloud Platform virtual machines using the gve network driver in DQ-QPL mode. The buffer cleanup code incorrectly interprets QPL buffer IDs as DMA addresses and can access beyond array bounds. This triggers UBSAN warnings and potential memory corruption during driver reset or close operations. Specific to GCP environments with gve driver.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[a6fb8d5a8b6925f1e635818d3dd2d89531d4a058,71511dae56a75ce161aa746741e5c498feaea393)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[a6fb8d5a8b6925f1e635818d3dd2d89531d4a058,c171f90f58974c784db25e0606051541cb71b7f0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[a6fb8d5a8b6925f1e635818d3dd2d89531d4a058,07e0c80e17ef781799e7cd5c41a7bf44f1bf6a5f)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[a6fb8d5a8b6925f1e635818d3dd2d89531d4a058,3744ebd8ffaa542ae8110fb449adcac0202f4cc8)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[a6fb8d5a8b6925f1e635818d3dd2d89531d4a058,fb868db5f4bccd7a78219313ab2917429f715cea)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.6"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.6)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.78,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.17,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.7,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0-rc2,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T16:58:28.489344+00:00", "value": {"mitigation_remediation": ["Update the kernel to a release that includes the CVE\u20112026\u201123386 fix", "If an immediate kernel update cannot be applied, disable QPL mode in the gve driver configuration to avoid the buggy cleanup path", "Continuously monitor system logs for UBSAN or out\u2011of\u2011bounds warnings related to the gve driver to detect potential exploitation attempts"], "summary": {"action": "Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "All Linux kernel versions that include the gve driver and are compiled with QPL support are susceptible. The supplied CPE strings indicate the issue is present in kernel releases from version 6.6 and the 7.0 release candidates up through rc7. The vulnerability is not tied to a single vendor identity beyond the generic Linux kernel, making any system running an unpatched gve driver at risk.", "description_and_impact": "The gve driver in the Linux kernel contains a logic flaw in the gve_tx_clean_pending_packets function when operating in DQ\u2011QPL mode. The routine mistakenly uses the RDA buffer cleanup path, interpreting buffer identifiers as DMA addresses and iterating beyond the size of the dma array. This leads to out\u2011of\u2011bounds array accesses and attempts to unmap memory locations that were never mapped, which can trigger kernel panics or other forms of instability. The vulnerability does not provide an avenue for code execution; its effect is limited to disabling affected systems through denial of service.", "risk_and_exploitability": "The moderate CVSS score of 5.5 reflects the moderate impact domain of a denial\u2011of\u2011service that requires local interaction with the gve driver. The associated EPSS score of less than 1% suggests a low likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The bug is triggered by normal network traffic or driver activity that activates the faulty cleanup path, indicating a local attack vector. No publicly available exploits are known, and the primary consequence is a forced reboot or service interruption caused by kernel crashes."}}}}, "created": "2026-03-25T21:31:30.156115+00:00", "updated": "2026-04-28T17:00:13.466380+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}