SB2026032080 - Uncontrolled Recursion in Linux kernel ipv4

Description

This security bulletin contains information about 1 security vulnerability.

1) Uncontrolled Recursion (CVE-ID: CVE-2026-23276)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in tunnel xmit functions (iptunnel_xmit, ip6tunnel_xmit) when handling network packets in a specific tunnel and bonding configuration. A remote attacker can send specially crafted network traffic that triggers infinite recursion between bond_xmit_broadcast() and ip_tunnel_xmit()/ip6_tnl_xmit(), leading to kernel stack overflow and system crash.

The issue specifically occurs when a bond device in broadcast mode has GRE tap interfaces as slaves and those GRE tunnels route back through the bond, causing multicast/broadcast traffic to trigger unbounded recursion. The existing XMIT_RECURSION_LIMIT is insufficient because tunnel recursion consumes more stack per level due to route lookups and full IP output processing.

Remediation

Install update from vendor's website.

References

• https://git.kernel.org/stable/c/6f1a9140ecda3baba3d945b9a6155af4268aafc4
• https://git.kernel.org/stable/c/8a57deeb256069f262957d8012418559ff66c385
• https://git.kernel.org/stable/c/b56b8d19bd05e2a8338385c770bc2b60590bc81e