Description
In the Linux kernel, the following vulnerability has been resolved:

gve: Fix stats report corruption on queue count change

The driver and the NIC share a region in memory for stats reporting.
The NIC calculates its offset into this region based on the total size
of the stats region and the size of the NIC's stats.

When the number of queues is changed, the driver's stats region is
resized. If the queue count is increased, the NIC can write past
the end of the allocated stats region, causing memory corruption.
If the queue count is decreased, there is a gap between the driver
and NIC stats, leading to incorrect stats reporting.

This change fixes the issue by allocating stats region with maximum
size, and the offset calculation for NIC stats is changed to match
with the calculation of the NIC.
Published: 2026-03-18
Score: 7.0 High
EPSS: < 1% Very Low
KEV: No
Impact: Kernel memory corruption
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in the Linux kernel’s gve driver, which shares a statistics memory region with the corresponding network interface card. When the number of queues changes, the driver reallocates the region. If the queue count is increased, the NIC writes beyond the allocated bounds, corrupting kernel memory. Decreasing the count creates an unused gap, distorting statistics. Such memory corruption can cause crashes, data corruption, or, in the worst case, provide a foothold for privilege escalation.

Affected Systems

Any Linux system running a kernel that includes the gve driver is potentially affected. No specific kernel versions are listed, so all current kernels containing this driver should be treated as vulnerable until the patch is applied.

Risk and Exploitability

The CVSS score of 7.0 indicates moderate to high severity. EPSS indicates a probability of exploitation of less than 1%, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a local user or an attacker with privileged access who can alter the queue count during device initialization or driver configuration. Based on the description, an attacker might trigger an out‑of‑bounds write that could lead to arbitrary code execution in kernel mode if exploited successfully.

Generated by OpenCVE AI on March 27, 2026 at 22:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel release that contains the commit fixing the gve stats report corruption
  • Verify that the kernel version includes the specific commit identifiers referenced in the advisory
  • If an upgrade is not immediately possible, consider disabling the gve driver or preventing changes to the NIC queue count until the patch is applied

Generated by OpenCVE AI on March 27, 2026 at 22:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 29 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-120

Fri, 27 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-120

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122
CWE-190

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122
CWE-190

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-122

Wed, 25 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-122

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Tue, 24 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Thu, 19 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 18 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: gve: Fix stats report corruption on queue count change The driver and the NIC share a region in memory for stats reporting. The NIC calculates its offset into this region based on the total size of the stats region and the size of the NIC's stats. When the number of queues is changed, the driver's stats region is resized. If the queue count is increased, the NIC can write past the end of the allocated stats region, causing memory corruption. If the queue count is decreased, there is a gap between the driver and NIC stats, leading to incorrect stats reporting. This change fixes the issue by allocating stats region with maximum size, and the offset calculation for NIC stats is changed to match with the calculation of the NIC.
Title gve: Fix stats report corruption on queue count change
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-03-18T17:41:08.380Z

Reserved: 2026-01-13T15:37:45.990Z

Link: CVE-2026-23262

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-18T18:16:24.770

Modified: 2026-03-19T13:25:00.570

Link: CVE-2026-23262

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-18T00:00:00Z

Links: CVE-2026-23262 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-29T20:28:58Z

Weaknesses