Description
In the Linux kernel, the following vulnerability has been resolved:

net: wwan: t7xx: fix potential skb->frags overflow in RX path

When receiving data in the DPMAIF RX path,
the t7xx_dpmaif_set_frag_to_skb() function adds
page fragments to an skb without checking if the number of
fragments has exceeded MAX_SKB_FRAGS. This could lead to a buffer overflow
in skb_shinfo(skb)->frags[] array, corrupting adjacent memory and
potentially causing kernel crashes or other undefined behavior.

This issue was identified through static code analysis by comparing with a
similar vulnerability fixed in the mt76 driver commit b102f0c522cf ("mt76:
fix array overflow on receiving too many fragments for a packet").

The vulnerability could be triggered if the modem firmware sends packets
with excessive fragments. While under normal protocol conditions (MTU 3080
bytes, BAT buffer 3584 bytes),
a single packet should not require additional
fragments, the kernel should not blindly trust firmware behavior.
Malicious, buggy, or compromised firmware could potentially craft packets
with more fragments than the kernel expects.

Fix this by adding a bounds check before calling skb_add_rx_frag() to
ensure nr_frags does not exceed MAX_SKB_FRAGS.

The check must be performed before unmapping to avoid a page leak
and double DMA unmap during device teardown.
Published: 2026-02-14
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Kernel buffer overflow potentially leading to crashes or privilege escalation
Action: Immediate patch
AI Analysis

Impact

The vulnerability in the Linux kernel’s wwan driver exposes a potential buffer overflow when handling received packet fragments. In the DPMAIF RX path, the t7xx_dpmaif_set_frag_to_skb() function adds page fragments to an skb without verifying that the fragment count remains within the MAX_SKB_FRAGS limit. If firmware supplies more fragments than the kernel expects, the skb_shinfo(skb)->frags array can be overrun, corrupting adjacent memory and causing kernel crashes or other undefined behaviour.

Affected Systems

All Linux kernel distributions that ship the v6.19 release series are affected, including the release candidates rc1 through rc7 enumerated in the Common Platform Enumeration strings. The fix applies to the generic Linux vendor and product, so any distribution still using the unpatched kernel falls under this scope.

Risk and Exploitability

The vulnerability carries a high CVSS base score of 8.4, yet the EPSS probability is below 1%, indicating a low exploitation likelihood at present. It is not listed in the CISA KEV catalog. Exploitation would require an attacker to manipulate or compromise modem firmware to transmit packets with excessive fragments, making the attack vector local to the device or remote if firmware injection can be achieved. Successful exploitation could corrupt kernel memory, leading to denial of service or potentially enabling privilege escalation.

Generated by OpenCVE AI on April 15, 2026 at 20:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a version that includes the patch (for example, any release of 6.19 after the inclusion of the commit that bounds fragment counts).
  • If a new kernel release is unavailable, download the relevant patch from the kernel source repository, apply it manually to the existing kernel source tree, and rebuild the kernel.
  • After applying the patch or upgrading, reboot the system to ensure the updated kernel is running and monitor kernel logs for any evidence of out‑of‑bounds fragment handling.

Generated by OpenCVE AI on April 15, 2026 at 20:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 18 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401
CPEs cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Mon, 16 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
References

Sat, 14 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: wwan: t7xx: fix potential skb->frags overflow in RX path When receiving data in the DPMAIF RX path, the t7xx_dpmaif_set_frag_to_skb() function adds page fragments to an skb without checking if the number of fragments has exceeded MAX_SKB_FRAGS. This could lead to a buffer overflow in skb_shinfo(skb)->frags[] array, corrupting adjacent memory and potentially causing kernel crashes or other undefined behavior. This issue was identified through static code analysis by comparing with a similar vulnerability fixed in the mt76 driver commit b102f0c522cf ("mt76: fix array overflow on receiving too many fragments for a packet"). The vulnerability could be triggered if the modem firmware sends packets with excessive fragments. While under normal protocol conditions (MTU 3080 bytes, BAT buffer 3584 bytes), a single packet should not require additional fragments, the kernel should not blindly trust firmware behavior. Malicious, buggy, or compromised firmware could potentially craft packets with more fragments than the kernel expects. Fix this by adding a bounds check before calling skb_add_rx_frag() to ensure nr_frags does not exceed MAX_SKB_FRAGS. The check must be performed before unmapping to avoid a page leak and double DMA unmap during device teardown.
Title net: wwan: t7xx: fix potential skb->frags overflow in RX path
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-03T13:32:10.969Z

Reserved: 2026-01-13T15:37:45.983Z

Link: CVE-2026-23172

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2026-02-14T16:15:57.457

Modified: 2026-04-03T14:16:25.353

Link: CVE-2026-23172

cve-icon Redhat

Severity :

Publid Date: 2026-02-14T00:00:00Z

Links: CVE-2026-23172 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T20:45:06Z

Weaknesses