CVE-2026-23386

Description

In the Linux kernel, the following vulnerability has been resolved: gve: fix incorrect buffer cleanup in gve_tx_clean_pending_packets for QPL In DQ-QPL mode, gve_tx_clean_pending_packets() incorrectly uses the RDA buffer cleanup path. It iterates num_bufs times and attempts to unmap entries in the dma array. This leads to two issues: 1. The dma array shares storage with tx_qpl_buf_ids (union). Interpreting buffer IDs as DMA addresses results in attempting to unmap incorrect memory locations. 2. num_bufs in QPL mode (counting 2K chunks) can significantly exceed the size of the dma array, causing out-of-bounds access warnings (trace below is how we noticed this issue). UBSAN: array-index-out-of-bounds in drivers/net/ethernet/drivers/net/ethernet/google/gve/gve_tx_dqo.c:178:5 index 18 is out of range for type 'dma_addr_t[18]' (aka 'unsigned long long[18]') Workqueue: gve gve_service_task [gve] Call Trace: <TASK> dump_stack_lvl+0x33/0xa0 __ubsan_handle_out_of_bounds+0xdc/0x110 gve_tx_stop_ring_dqo+0x182/0x200 [gve] gve_close+0x1be/0x450 [gve] gve_reset+0x99/0x120 [gve] gve_service_task+0x61/0x100 [gve] process_scheduled_works+0x1e9/0x380 Fix this by properly checking for QPL mode and delegating to gve_free_tx_qpl_bufs() to reclaim the buffers.

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:linux:linux_kernel:6.6:-:*:*:*:*:*:* - VULNERABLE

Linux Kernel (stable branches prior to commit 07e0c80e17ef)

Linux Kernel (stable branches prior to commit 3744ebd8ffaa)

Linux Kernel (stable branches prior to commit 71511dae56a7)

Linux Kernel (stable branches prior to commit c171f90f5897)

Linux Kernel (stable branches prior to commit fb868db5f4bc)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/*
 * PoC Concept for CVE-2026-23386
 * This code demonstrates the logic flaw leading to Out-of-Bounds access.
 * Compile with: gcc -o poc_cve202623386 poc_cve202623386.c
 */
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>

#define DMA_ARRAY_SIZE 18
#define QPL_BUF_COUNT 64  // Simulating a larger num_bufs in QPL mode

typedef union {
    uint64_t dma_addr;
    uint32_t buf_id;
} buffer_storage_t;

void vulnerable_cleanup(buffer_storage_t *buffers, int num_bufs, int is_qpl_mode) {
    printf("[+] Starting cleanup process...\n");
    
    // Vulnerability: The code does not properly check for QPL mode
    // and uses the RDA path logic (iterating num_bufs directly on dma array)
    if (1) { // Simulating the flawed condition
        for (int i = 0; i < num_bufs; i++) {
            // This simulates the out-of-bounds access
            if (i >= DMA_ARRAY_SIZE) {
                printf("[!] UBSAN: array-index-out-of-bounds in vulnerable_cleanup\n");
                printf("    index %d is out of range for type 'dma_addr_t[%d]'\n", i, DMA_ARRAY_SIZE);
                // In kernel, this leads to panic or corruption
                break; 
            }
            printf("[?] Unmapping buffer at index %d (addr: 0x%llx)\n", i, (unsigned long long)buffers[i].dma_addr);
        }
    } else {
        printf("[*] Using safe QPL cleanup path.\n");
    }
}

int main() {
    buffer_storage_t buffers[DMA_ARRAY_SIZE];
    
    // Initialize dummy data
    for (int i = 0; i < DMA_ARRAY_SIZE; i++) {
        buffers[i].dma_addr = 0xdeadbeef0000 + i;
    }

    printf("Simulating CVE-2026-23386 Trigger\n");
    printf("Context: DQ-QPL mode active.\n");
    printf("num_bufs (QPL chunks): %d\n", QPL_BUF_COUNT);
    printf("dma_array_size: %d\n\n", DMA_ARRAY_SIZE);

    // Trigger the vulnerable function
    vulnerable_cleanup(buffers, QPL_BUF_COUNT, 1);

    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-23386
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-23386
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-23386/
[4] VulDB https://vuldb.com/cve/CVE-2026-23386
[5] https://git.kernel.org/stable/c/07e0c80e17ef781799e7cd5c41a7bf44f1bf6a5f
[6] https://git.kernel.org/stable/c/3744ebd8ffaa542ae8110fb449adcac0202f4cc8
[7] https://git.kernel.org/stable/c/71511dae56a75ce161aa746741e5c498feaea393
[8] https://git.kernel.org/stable/c/c171f90f58974c784db25e0606051541cb71b7f0
[9] https://git.kernel.org/stable/c/fb868db5f4bccd7a78219313ab2917429f715cea

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-23386", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-03-25T11:16:38.960", "lastModified": "2026-04-24T18:44:53.623", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngve: fix incorrect buffer cleanup in gve_tx_clean_pending_packets for QPL\n\nIn DQ-QPL mode, gve_tx_clean_pending_packets() incorrectly uses the RDA\nbuffer cleanup path. It iterates num_bufs times and attempts to unmap\nentries in the dma array.\n\nThis leads to two issues:\n1. The dma array shares storage with tx_qpl_buf_ids (union).\n Interpreting buffer IDs as DMA addresses results in attempting to\n unmap incorrect memory locations.\n2. num_bufs in QPL mode (counting 2K chunks) can significantly exceed\n the size of the dma array, causing out-of-bounds access warnings\n(trace below is how we noticed this issue).\n\nUBSAN: array-index-out-of-bounds in\ndrivers/net/ethernet/drivers/net/ethernet/google/gve/gve_tx_dqo.c:178:5 index 18 is out of\nrange for type 'dma_addr_t[18]' (aka 'unsigned long long[18]')\nWorkqueue: gve gve_service_task [gve]\nCall Trace:\n<TASK>\ndump_stack_lvl+0x33/0xa0\n__ubsan_handle_out_of_bounds+0xdc/0x110\ngve_tx_stop_ring_dqo+0x182/0x200 [gve]\ngve_close+0x1be/0x450 [gve]\ngve_reset+0x99/0x120 [gve]\ngve_service_task+0x61/0x100 [gve]\nprocess_scheduled_works+0x1e9/0x380\n\nFix this by properly checking for QPL mode and delegating to\ngve_free_tx_qpl_bufs() to reclaim the buffers."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\ngve: corrige la limpieza incorrecta del búfer en gve_tx_clean_pending_packets para QPL\n\nEn el modo DQ-QPL, gve_tx_clean_pending_packets() utiliza incorrectamente la ruta de limpieza del búfer RDA. Itera num_bufs veces e intenta desmapear entradas en el array dma.\n\nEsto conduce a dos problemas:\n1. El array dma comparte almacenamiento con tx_qpl_buf_ids (unión).\n Interpretar los IDs de búfer como direcciones DMA resulta en el intento de desmapear ubicaciones de memoria incorrectas.\n2. num_bufs en modo QPL (contando bloques de 2K) puede exceder significativamente el tamaño del array dma, causando advertencias de acceso fuera de límites (el rastro a continuación es cómo notamos este problema).\n\nUBSAN: índice de array fuera de límites en\ndrivers/net/ethernet/drivers/net/ethernet/google/gve/gve_tx_dqo.c:178:5 el índice 18 está fuera de\nrango para el tipo 'dma_addr_t[18]' (también conocido como 'unsigned long long[18]')\nCola de trabajo: gve gve_service_task [gve]\nRastro de Llamada:\n\ndump_stack_lvl+0x33/0xa0\n__ubsan_handle_out_of_bounds+0xdc/0x110\ngve_tx_stop_ring_dqo+0x182/0x200 [gve]\ngve_close+0x1be/0x450 [gve]\ngve_reset+0x99/0x120 [gve]\ngve_service_task+0x61/0x100 [gve]\nprocess_scheduled_works+0x1e9/0x380\n\nSoluciona esto verificando correctamente el modo QPL y delegando a gve_free_tx_qpl_bufs() para reclamar los búferes."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.1", "versionEndExcluding": "6.6.130", "matchCriteriaId": "CB6BFE31-498D-448D-B98D-49F04FE89110"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.78", "matchCriteriaId": "28D591F5-B196-4CC9-905C-DC80F116E7A8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.17", "matchCriteriaId": "A5E006E4-59C7-43C1-9231-62A72219F2BA"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.7", "matchCriteriaId": "69245D10-0B71-485E-80C3-A64F077004D3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.6:-:*:*:*:*:*:*", "matchCriteriaId": "E346B162-D566-4E62-ABDE-ECBFB21B8BFD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "cr ... (truncated)