{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23143", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.973Z", "datePublished": "2026-02-14T15:36:08.834Z", "dateUpdated": "2026-02-14T15:36:08.834Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-02-14T15:36:08.834Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_net: Fix misalignment bug in struct virtnet_info\n\nUse the new TRAILING_OVERLAP() helper to fix a misalignment bug\nalong with the following warning:\n\ndrivers/net/virtio_net.c:429:46: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end]\n\nThis helper creates a union between a flexible-array member (FAM)\nand a set of members that would otherwise follow it (in this case\n`u8 rss_hash_key_data[VIRTIO_NET_RSS_MAX_KEY_SIZE];`). This\noverlays the trailing members (rss_hash_key_data) onto the FAM\n(hash_key_data) while keeping the FAM and the start of MEMBERS aligned.\nThe static_assert() ensures this alignment remains.\n\nNotice that due to tail padding in flexible `struct\nvirtio_net_rss_config_trailer`, `rss_trailer.hash_key_data`\n(at offset 83 in struct virtnet_info) and `rss_hash_key_data` (at\noffset 84 in struct virtnet_info) are misaligned by one byte. See\nbelow:\n\nstruct virtio_net_rss_config_trailer {\n __le16 max_tx_vq; /* 0 2 */\n __u8 hash_key_length; /* 2 1 */\n __u8 hash_key_data[]; /* 3 0 */\n\n /* size: 4, cachelines: 1, members: 3 */\n /* padding: 1 */\n /* last cacheline: 4 bytes */\n};\n\nstruct virtnet_info {\n...\n struct virtio_net_rss_config_trailer rss_trailer; /* 80 4 */\n\n /* XXX last struct has 1 byte of padding */\n\n u8 rss_hash_key_data[40]; /* 84 40 */\n...\n /* size: 832, cachelines: 13, members: 48 */\n /* sum members: 801, holes: 8, sum holes: 31 */\n /* paddings: 2, sum paddings: 5 */\n};\n\nAfter changes, those members are correctly aligned at offset 795:\n\nstruct virtnet_info {\n...\n union {\n struct virtio_net_rss_config_trailer rss_trailer; /* 792 4 */\n struct {\n unsigned char __offset_to_hash_key_data[3]; /* 792 3 */\n u8 rss_hash_key_data[40]; /* 795 40 */\n }; /* 792 43 */\n }; /* 792 44 */\n...\n /* size: 840, cachelines: 14, members: 47 */\n /* sum members: 801, holes: 8, sum holes: 35 */\n /* padding: 4 */\n /* paddings: 1, sum paddings: 4 */\n /* last cacheline: 8 bytes */\n};\n\nAs a result, the RSS key passed to the device is shifted by 1\nbyte: the last byte is cut off, and instead a (possibly\nuninitialized) byte is added at the beginning.\n\nAs a last note `struct virtio_net_rss_config_hdr *rss_hdr;` is also\nmoved to the end, since it seems those three members should stick\naround together. :)"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/virtio_net.c"], "versions": [{"version": "ed3100e90d0d120a045a551b85eb43cf2527e885", "lessThan": "ae48108c2310f1dd700e0dbb655c2f1d92ed00fc", "status": "affected", "versionType": "git"}, {"version": "ed3100e90d0d120a045a551b85eb43cf2527e885", "lessThan": "4156c3745f06bc197094b9ee97a9584e69ed00bf", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/virtio_net.c"], "versions": [{"version": "6.15", "status": "affected"}, {"version": "0", "lessThan": "6.15", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.7", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.15", "versionEndExcluding": "6.18.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.15", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/ae48108c2310f1dd700e0dbb655c2f1d92ed00fc"}, {"url": "https://git.kernel.org/stable/c/4156c3745f06bc197094b9ee97a9584e69ed00bf"}], "title": "virtio_net: Fix misalignment bug in struct virtnet_info", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_net: Fix misalignment bug in struct virtnet_info\n\nUse the new TRAILING_OVERLAP() helper to fix a misalignment bug\nalong with the following warning:\n\ndrivers/net/virtio_net.c:429:46: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end]\n\nThis helper creates a union between a flexible-array member (FAM)\nand a set of members that would otherwise follow it (in this case\n`u8 rss_hash_key_data[VIRTIO_NET_RSS_MAX_KEY_SIZE];`). This\noverlays the trailing members (rss_hash_key_data) onto the FAM\n(hash_key_data) while keeping the FAM and the start of MEMBERS aligned.\nThe static_assert() ensures this alignment remains.\n\nNotice that due to tail padding in flexible `struct\nvirtio_net_rss_config_trailer`, `rss_trailer.hash_key_data`\n(at offset 83 in struct virtnet_info) and `rss_hash_key_data` (at\noffset 84 in struct virtnet_info) are misaligned by one byte. See\nbelow:\n\nstruct virtio_net_rss_config_trailer {\n __le16 max_tx_vq; /* 0 2 */\n __u8 hash_key_length; /* 2 1 */\n __u8 hash_key_data[]; /* 3 0 */\n\n /* size: 4, cachelines: 1, members: 3 */\n /* padding: 1 */\n /* last cacheline: 4 bytes */\n};\n\nstruct virtnet_info {\n...\n struct virtio_net_rss_config_trailer rss_trailer; /* 80 4 */\n\n /* XXX last struct has 1 byte of padding */\n\n u8 rss_hash_key_data[40]; /* 84 40 */\n...\n /* size: 832, cachelines: 13, members: 48 */\n /* sum members: 801, holes: 8, sum holes: 31 */\n /* paddings: 2, sum paddings: 5 */\n};\n\nAfter changes, those members are correctly aligned at offset 795:\n\nstruct virtnet_info {\n...\n union {\n struct virtio_net_rss_config_trailer rss_trailer; /* 792 4 */\n struct {\n unsigned char __offset_to_hash_key_data[3]; /* 792 3 */\n u8 rss_hash_key_data[40]; /* 795 40 */\n }; /* 792 43 */\n }; /* 792 44 */\n...\n /* size: 840, cachelines: 14, members: 47 */\n /* sum members: 801, holes: 8, sum holes: 35 */\n /* padding: 4 */\n /* paddings: 1, sum paddings: 4 */\n /* last cacheline: 8 bytes */\n};\n\nAs a result, the RSS key passed to the device is shifted by 1\nbyte: the last byte is cut off, and instead a (possibly\nuninitialized) byte is added at the beginning.\n\nAs a last note `struct virtio_net_rss_config_hdr *rss_hdr;` is also\nmoved to the end, since it seems those three members should stick\naround together. :)"}], "id": "CVE-2026-23143", "lastModified": "2026-02-14T16:15:54.383", "metrics": {}, "published": "2026-02-14T16:15:54.383", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/4156c3745f06bc197094b9ee97a9584e69ed00bf"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ae48108c2310f1dd700e0dbb655c2f1d92ed00fc"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{}