7.8

CVE-2026-23359

bpf: Fix stack-out-of-bounds write in devmap

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix stack-out-of-bounds write in devmap

get_upper_ifindexes() iterates over all upper devices and writes their
indices into an array without checking bounds.

Also the callers assume that the max number of upper devices is
MAX_NEST_DEV and allocate excluded_devices[1+MAX_NEST_DEV] on the stack,
but that assumption is not correct and the number of upper devices could
be larger than MAX_NEST_DEV (e.g., many macvlans), causing a
stack-out-of-bounds write.

Add a max parameter to get_upper_ifindexes() to avoid the issue.
When there are too many upper devices, return -EOVERFLOW and abort the
redirect.

To reproduce, create more than MAX_NEST_DEV(8) macvlans on a device with
an XDP program attached using BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS.
Then send a packet to the device to trigger the XDP redirect path.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 5.15.1 < 5.15.203
LinuxLinux Kernel Version >= 5.16 < 6.1.167
LinuxLinux Kernel Version >= 6.2 < 6.6.130
LinuxLinux Kernel Version >= 6.7 < 6.12.77
LinuxLinux Kernel Version >= 6.13 < 6.18.17
LinuxLinux Kernel Version >= 6.19 < 6.19.7
LinuxLinux Kernel Version5.15 Update-
LinuxLinux Kernel Version7.0 Updaterc1
LinuxLinux Kernel Version7.0 Updaterc2
LinuxLinux Kernel Version7.0 Updaterc3
LinuxLinux Kernel Version7.0 Updaterc4
LinuxLinux Kernel Version7.0 Updaterc5
LinuxLinux Kernel Version7.0 Updaterc6
LinuxLinux Kernel Version7.0 Updaterc7
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.13% 0.029
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

https://git.kernel.org/stable/c/5000e40acc8d0c36ab709662e32120986ac22e7e
Patch
https://git.kernel.org/stable/c/8a95fb9df1105b1618872c2846a6c01e3ba20b45
Patch
https://git.kernel.org/stable/c/d2c31d8e03d05edc16656e5ffe187f0d1da763d7
Patch
https://git.kernel.org/stable/c/75d474702b2ba8b6bcb26eb3004dbc5e95ffd5d2
Patch
https://git.kernel.org/stable/c/ca831567908fd3f73cf97d8a6c09a5054697a182
Patch
https://git.kernel.org/stable/c/b7bf516c3ecd9a2aae2dc2635178ab87b734fef1
Patch
https://git.kernel.org/stable/c/88df604f0d16a692867582350ce3f2fcd22243f1
Patch