{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23459", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.021Z", "datePublished": "2026-04-03T15:15:39.665Z", "dateUpdated": "2026-05-11T22:07:23.860Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:07:23.860Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nip_tunnel: adapt iptunnel_xmit_stats() to NETDEV_PCPU_STAT_DSTATS\n\nBlamed commits forgot that vxlan/geneve use udp_tunnel[6]_xmit_skb() which\ncall iptunnel_xmit_stats().\n\niptunnel_xmit_stats() was assuming tunnels were only using\nNETDEV_PCPU_STAT_TSTATS.\n\n@syncp offset in pcpu_sw_netstats and pcpu_dstats is different.\n\n32bit kernels would either have corruptions or freezes if the syncp\nsequence was overwritten.\n\nThis patch also moves pcpu_stat_type closer to dev->{t,d}stats to avoid\na potential cache line miss since iptunnel_xmit_stats() needs to read it."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "baseScore": 8.2, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/linux/netdevice.h", "include/net/ip_tunnels.h"], "versions": [{"version": "be226352e8dc77d3313c096b2d8e7f69bf6980fc", "lessThan": "0d087d00161f562d5047cc4009bb0c6a19daf9f1", "status": "affected", "versionType": "git"}, {"version": "be226352e8dc77d3313c096b2d8e7f69bf6980fc", "lessThan": "8431c602f551549f082bbfa67f3003f2d8e3e132", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/linux/netdevice.h", "include/net/ip_tunnels.h"], "versions": [{"version": "6.14", "status": "affected"}, {"version": "0", "lessThan": "6.14", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.10", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.14", "versionEndExcluding": "6.19.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.14", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/0d087d00161f562d5047cc4009bb0c6a19daf9f1"}, {"url": "https://git.kernel.org/stable/c/8431c602f551549f082bbfa67f3003f2d8e3e132"}], "title": "ip_tunnel: adapt iptunnel_xmit_stats() to NETDEV_PCPU_STAT_DSTATS", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nip_tunnel: adapt iptunnel_xmit_stats() to NETDEV_PCPU_STAT_DSTATS\n\nBlamed commits forgot that vxlan/geneve use udp_tunnel[6]_xmit_skb() which\ncall iptunnel_xmit_stats().\n\niptunnel_xmit_stats() was assuming tunnels were only using\nNETDEV_PCPU_STAT_TSTATS.\n\n@syncp offset in pcpu_sw_netstats and pcpu_dstats is different.\n\n32bit kernels would either have corruptions or freezes if the syncp\nsequence was overwritten.\n\nThis patch also moves pcpu_stat_type closer to dev->{t,d}stats to avoid\na potential cache line miss since iptunnel_xmit_stats() needs to read it."}], "id": "CVE-2026-23459", "lastModified": "2026-04-27T14:16:34.493", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-04-03T16:16:32.833", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0d087d00161f562d5047cc4009bb0c6a19daf9f1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8431c602f551549f082bbfa67f3003f2d8e3e132"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: ip_tunnel: adapt iptunnel_xmit_stats() to NETDEV_PCPU_STAT_DSTATS", "id": "2454863", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454863"}, "csaw": false, "cwe": "CWE-821", "details": ["A flaw was found in the Linux kernel's IP tunnel (ip_tunnel) functionality. Incorrect handling of tunnel statistics, specifically within the `iptunnel_xmit_stats()` function, could lead to a mismatch in how data is processed. On 32-bit kernel systems, this issue may result in data corruption or system freezes, effectively causing a Denial of Service (DoS)."], "name": "CVE-2026-23459", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23459\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23459\nhttps://lore.kernel.org/linux-cve-announce/2026040319-CVE-2026-23459-fcfb@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[be226352e8dc77d3313c096b2d8e7f69bf6980fc,0d087d00161f562d5047cc4009bb0c6a19daf9f1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[be226352e8dc77d3313c096b2d8e7f69bf6980fc,8431c602f551549f082bbfa67f3003f2d8e3e132)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.14"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.14)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.10,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc5,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T16:37:34.498013+00:00", "value": {"mitigation_remediation": ["Apply the latest Linux kernel update that includes the iptunnel statistics patch.", "If an immediate update is not possible, disable VXLAN and Geneve interfaces until the fix is deployed.", "Verify that no tunnel traffic can deliver packets to the system during the mitigation period.", "Monitor kernel logs for signs of statistics corruption or unexpected freezes.", "Stay current with vendor security advisories to apply subsequent updates promptly."], "summary": {"action": "Patch Now", "impact": "Denial of Service (Kernel Freeze)"}, "threat_synthesis": {"affected_systems": "Any system running a Linux kernel version prior to the inclusion of the iptunnel patch is susceptible. The issue is most severe on 32\u2011bit architectures, but any kernel exposed to VXLAN or Geneve traffic without the patch could experience statistics corruption, regardless of vendor kernel build.", "description_and_impact": "The Linux kernel\u2019s iptunnel_xmit_stats() function incorrectly assumed all tunnel interfaces used NETDEV_PCPU_STAT_TSTATS, but VXLAN and Geneve tunnels use NETDEV_PCPU_STAT_DSTATS. On 32\u2011bit kernels the differing offset between pcpu_sw_netstats and pcpu_dstats can overwrite the syncp sequence, leading to memory corruption and a system freeze. This results in a denial\u2011of\u2011service condition that can be brought on by traffic sent over the affected tunnels.", "risk_and_exploitability": "The CVSS score is 8.2, indicating a high severity of this flaw. The EPSS score of < 1% suggests a low probability of exploitation, but the vulnerability is not listed in the CISA KEV catalog. Inferred likely attack vectors involve an attacker who can send traffic over VXLAN or Geneve interfaces to the host, either from inside the network or from an external source capable of reaching the tunnel endpoints. Successful exploitation would result in a crash or hang, disrupting availability."}}}}, "created": "2026-04-03T21:13:39.476741+00:00", "updated": "2026-04-28T16:45:06.174659+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}