CVE-2026-23359

bpf: Fix stack-out-of-bounds write in devmap

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix stack-out-of-bounds write in devmap get_upper_ifindexes() iterates over all upper devices and writes their
indices into an array without checking bounds. Also the callers assume that the max number of upper devices is
MAX_NEST_DEV and allocate excluded_devices[1+MAX_NEST_DEV] on the stack,
but that assumption is not correct and the number of upper devices could
be larger than MAX_NEST_DEV (e.g., many macvlans), causing a
stack-out-of-bounds write. Add a max parameter to get_upper_ifindexes() to avoid the issue.
When there are too many upper devices, return -EOVERFLOW and abort the
redirect. To reproduce, create more than MAX_NEST_DEV(8) macvlans on a device with
an XDP program attached using BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS.
Then send a packet to the device to trigger the XDP redirect path.

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2026-01-13 CVE Reserved
2026-03-25 CVE Published
2026-04-26 EPSS Updated
2026-05-11 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (8)

URL	Tag	Source
https://git.kernel.org/stable/c/aeea1b86f9363f3feabb496534d886f082a89f21	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/88df604f0d16a692867582350ce3f2fcd22243f1	2026-04-18
https://git.kernel.org/stable/c/5000e40acc8d0c36ab709662e32120986ac22e7e	2026-03-25
https://git.kernel.org/stable/c/8a95fb9df1105b1618872c2846a6c01e3ba20b45	2026-03-25
https://git.kernel.org/stable/c/d2c31d8e03d05edc16656e5ffe187f0d1da763d7	2026-03-13
https://git.kernel.org/stable/c/75d474702b2ba8b6bcb26eb3004dbc5e95ffd5d2	2026-03-12
https://git.kernel.org/stable/c/ca831567908fd3f73cf97d8a6c09a5054697a182	2026-03-12
https://git.kernel.org/stable/c/b7bf516c3ecd9a2aae2dc2635178ab87b734fef1	2026-02-26

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15 < 5.15.203 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15 < 5.15.203"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15 < 6.1.167 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15 < 6.1.167"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15 < 6.6.130 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15 < 6.6.130"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15 < 6.12.77 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15 < 6.12.77"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15 < 6.18.17 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15 < 6.18.17"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15 < 6.19.7 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15 < 6.19.7"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15 < 7.0 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15 < 7.0"		en		Affected