CVE-2026-23390

/* * PoC Concept: Calculate buffer size for dma_map_sg tracepoint * This demonstrates the condition that triggers the overflow. */ #include <stdio.h> #define PERF_MAX_TRACE_SIZE 8192 void calculate_trace_size(int nents) { // phys_addrs: nents * 8 bytes // dma_addrs: nents * 8 bytes // lengths: nents * 4 bytes size_t total_size = (nents * 8) + (nents * 8) + (nents * 4); printf("Entries: %d\n", nents); printf("Required Trace Size: %zu bytes\n", total_size); printf("Perf Max Trace Size: %d bytes\n", PERF_MAX_TRACE_SIZE); if (total_size > PERF_MAX_TRACE_SIZE) { printf("[!] VULNERABLE: Buffer overflow detected!\n"); } else { printf("[+] Safe: Size within limits.\n"); } } int main() { // Triggering condition mentioned in CVE description (nents > 1000) calculate_trace_size(1000); return 0; }

{"cve": {"id": "CVE-2026-23390", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-03-25T11:16:39.567", "lastModified": "2026-04-24T18:32:24.277", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/dma: Cap dma_map_sg tracepoint arrays to prevent buffer overflow\n\nThe dma_map_sg tracepoint can trigger a perf buffer overflow when\ntracing large scatter-gather lists. With devices like virtio-gpu\ncreating large DRM buffers, nents can exceed 1000 entries, resulting\nin:\n\n phys_addrs: 1000 * 8 bytes = 8,000 bytes\n dma_addrs: 1000 * 8 bytes = 8,000 bytes\n lengths: 1000 * 4 bytes = 4,000 bytes\n Total: ~20,000 bytes\n\nThis exceeds PERF_MAX_TRACE_SIZE (8192 bytes), causing:\n\n WARNING: CPU: 0 PID: 5497 at kernel/trace/trace_event_perf.c:405\n perf buffer not large enough, wanted 24620, have 8192\n\nCap all three dynamic arrays at 128 entries using min() in the array\nsize calculation. This ensures arrays are only as large as needed\n(up to the cap), avoiding unnecessary memory allocation for small\noperations while preventing overflow for large ones.\n\nThe tracepoint now records the full nents/ents counts and a truncated\nflag so users can see when data has been capped.\n\nChanges in v2:\n- Use min(nents, DMA_TRACE_MAX_ENTRIES) for dynamic array sizing\n instead of fixed DMA_TRACE_MAX_ENTRIES allocation (feedback from\n Steven Rostedt)\n- This allocates only what's needed up to the cap, avoiding waste\n for small operations\n\nReviwed-by: Sean Anderson <[email protected]>"}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\ntracing/dma: Limitar los arrays del tracepoint dma_map_sg para prevenir el desbordamiento de búfer\n\nEl tracepoint dma_map_sg puede desencadenar un desbordamiento de búfer de perf al trazar listas grandes de scatter-gather. Con dispositivos como virtio-gpu creando búferes DRM grandes, nents puede exceder las 1000 entradas, resultando en:\n\n phys_addrs: 1000 * 8 bytes = 8.000 bytes\n dma_addrs: 1000 * 8 bytes = 8.000 bytes\n lengths: 1000 * 4 bytes = 4.000 bytes\n Total: ~20.000 bytes\n\nEsto excede PERF_MAX_TRACE_SIZE (8192 bytes), causando:\n\n ADVERTENCIA: CPU: 0 PID: 5497 en kernel/trace/trace_event_perf.c:405\n búfer de perf no lo suficientemente grande, se querían 24620, se tienen 8192\n\nLimitar los tres arrays dinámicos a 128 entradas usando min() en el cálculo del tamaño del array. Esto asegura que los arrays sean solo tan grandes como sea necesario (hasta el límite), evitando la asignación de memoria innecesaria para operaciones pequeñas mientras se previene el desbordamiento para las grandes.\n\nEl tracepoint ahora registra los conteos completos de nents/ents y un indicador de truncamiento para que los usuarios puedan ver cuándo los datos han sido limitados.\n\nCambios en v2:\n- Usar min(nents, DMA_TRACE_MAX_ENTRIES) para el dimensionamiento dinámico del array en lugar de la asignación fija de DMA_TRACE_MAX_ENTRIES (comentarios de Steven Rostedt)\n- Esto asigna solo lo necesario hasta el límite, evitando el desperdicio para operaciones pequeñas\n\nRevisado por: Sean Anderson "}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12.1", "versionEndExcluding": "6.12.74", "matchCriteriaId": "3D530012-C124-4425-AC28-91B8FACB2151"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.13", "matchCriteriaId": "6BDEF9FB-423E-49F6-991B-9277CC3AF400"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.12:-:*:*:*:*:*:*", "matchCriteriaId": "0E698080-7669-4132-8817-4C674EEBCE54"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298"}, {"vulnerable": true, "criteria": "cp ... (truncated)