Out-of-bounds write in Linux kernel - CVE-2026-23386
Published: March 25, 2026
Vulnerability identifier: #VU124458
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-23386
CWE-ID: CWE-787
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a boundary error in the gve_tx_clean_pending_packets() function in the Google Virtual Ethernet (gve) driver when handling packet transmission cleanup in DQ-QPL mode. A local user can trigger improper buffer cleanup by causing the transmission path to fail, leading to out-of-bounds memory access and system crash.
The issue arises because the function incorrectly uses the RDA buffer cleanup path in QPL mode, resulting in accessing memory beyond the bounds of the dma array, which shares storage with tx_qpl_buf_ids. This can be triggered during normal operation under specific error conditions.
How to mitigate CVE-2026-23386
Install security update from vendor's repository.
Sources
- https://git.kernel.org/stable/c/07e0c80e17ef781799e7cd5c41a7bf44f1bf6a5f
- https://git.kernel.org/stable/c/3744ebd8ffaa542ae8110fb449adcac0202f4cc8
- https://git.kernel.org/stable/c/71511dae56a75ce161aa746741e5c498feaea393
- https://git.kernel.org/stable/c/c171f90f58974c784db25e0606051541cb71b7f0
- https://git.kernel.org/stable/c/fb868db5f4bccd7a78219313ab2917429f715cea