{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23276", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.991Z", "datePublished": "2026-03-20T08:08:56.575Z", "dateUpdated": "2026-03-20T08:08:56.575Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-20T08:08:56.575Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: add xmit recursion limit to tunnel xmit functions\n\nTunnel xmit functions (iptunnel_xmit, ip6tunnel_xmit) lack their own\nrecursion limit. When a bond device in broadcast mode has GRE tap\ninterfaces as slaves, and those GRE tunnels route back through the\nbond, multicast/broadcast traffic triggers infinite recursion between\nbond_xmit_broadcast() and ip_tunnel_xmit()/ip6_tnl_xmit(), causing\nkernel stack overflow.\n\nThe existing XMIT_RECURSION_LIMIT (8) in the no-qdisc path is not\nsufficient because tunnel recursion involves route lookups and full IP\noutput, consuming much more stack per level. Use a lower limit of 4\n(IP_TUNNEL_RECURSION_LIMIT) to prevent overflow.\n\nAdd recursion detection using dev_xmit_recursion helpers directly in\niptunnel_xmit() and ip6tunnel_xmit() to cover all IPv4/IPv6 tunnel\npaths including UDP encapsulated tunnels (VXLAN, Geneve, etc.).\n\nMove dev_xmit_recursion helpers from net/core/dev.h to public header\ninclude/linux/netdevice.h so they can be used by tunnel code.\n\n BUG: KASAN: stack-out-of-bounds in blake2s.constprop.0+0xe7/0x160\n Write of size 32 at addr ffff88810033fed0 by task kworker/0:1/11\n Workqueue: mld mld_ifc_work\n Call Trace:\n <TASK>\n __build_flow_key.constprop.0 (net/ipv4/route.c:515)\n ip_rt_update_pmtu (net/ipv4/route.c:1073)\n iptunnel_xmit (net/ipv4/ip_tunnel_core.c:84)\n ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847)\n gre_tap_xmit (net/ipv4/ip_gre.c:779)\n dev_hard_start_xmit (net/core/dev.c:3887)\n sch_direct_xmit (net/sched/sch_generic.c:347)\n __dev_queue_xmit (net/core/dev.c:4802)\n bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312)\n bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279)\n bond_start_xmit (drivers/net/bonding/bond_main.c:5530)\n dev_hard_start_xmit (net/core/dev.c:3887)\n __dev_queue_xmit (net/core/dev.c:4841)\n ip_finish_output2 (net/ipv4/ip_output.c:237)\n ip_output (net/ipv4/ip_output.c:438)\n iptunnel_xmit (net/ipv4/ip_tunnel_core.c:86)\n gre_tap_xmit (net/ipv4/ip_gre.c:779)\n dev_hard_start_xmit (net/core/dev.c:3887)\n sch_direct_xmit (net/sched/sch_generic.c:347)\n __dev_queue_xmit (net/core/dev.c:4802)\n bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312)\n bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279)\n bond_start_xmit (drivers/net/bonding/bond_main.c:5530)\n dev_hard_start_xmit (net/core/dev.c:3887)\n __dev_queue_xmit (net/core/dev.c:4841)\n ip_finish_output2 (net/ipv4/ip_output.c:237)\n ip_output (net/ipv4/ip_output.c:438)\n iptunnel_xmit (net/ipv4/ip_tunnel_core.c:86)\n ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847)\n gre_tap_xmit (net/ipv4/ip_gre.c:779)\n dev_hard_start_xmit (net/core/dev.c:3887)\n sch_direct_xmit (net/sched/sch_generic.c:347)\n __dev_queue_xmit (net/core/dev.c:4802)\n bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312)\n bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279)\n bond_start_xmit (drivers/net/bonding/bond_main.c:5530)\n dev_hard_start_xmit (net/core/dev.c:3887)\n __dev_queue_xmit (net/core/dev.c:4841)\n mld_sendpack\n mld_ifc_work\n process_one_work\n worker_thread\n </TASK>"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/linux/netdevice.h", "include/net/ip6_tunnel.h", "include/net/ip_tunnels.h", "net/core/dev.h", "net/ipv4/ip_tunnel_core.c"], "versions": [{"version": "745e20f1b626b1be4b100af5d4bf7b3439392f8f", "lessThan": "8a57deeb256069f262957d8012418559ff66c385", "status": "affected", "versionType": "git"}, {"version": "745e20f1b626b1be4b100af5d4bf7b3439392f8f", "lessThan": "b56b8d19bd05e2a8338385c770bc2b60590bc81e", "status": "affected", "versionType": "git"}, {"version": "745e20f1b626b1be4b100af5d4bf7b3439392f8f", "lessThan": "6f1a9140ecda3baba3d945b9a6155af4268aafc4", "status": "affected", "versionType": "git"}, {"version": "3f266b04185de51d8e6446eb1fccec3b5e7ce575", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/linux/netdevice.h", "include/net/ip6_tunnel.h", "include/net/ip_tunnels.h", "net/core/dev.h", "net/ipv4/ip_tunnel_core.c"], "versions": [{"version": "2.6.37", "status": "affected"}, {"version": "0", "lessThan": "2.6.37", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.19", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.9", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc4", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.37", "versionEndExcluding": "6.18.19"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.37", "versionEndExcluding": "6.19.9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.37", "versionEndExcluding": "7.0-rc4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.35.9"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/8a57deeb256069f262957d8012418559ff66c385"}, {"url": "https://git.kernel.org/stable/c/b56b8d19bd05e2a8338385c770bc2b60590bc81e"}, {"url": "https://git.kernel.org/stable/c/6f1a9140ecda3baba3d945b9a6155af4268aafc4"}], "title": "net: add xmit recursion limit to tunnel xmit functions", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: add xmit recursion limit to tunnel xmit functions\n\nTunnel xmit functions (iptunnel_xmit, ip6tunnel_xmit) lack their own\nrecursion limit. When a bond device in broadcast mode has GRE tap\ninterfaces as slaves, and those GRE tunnels route back through the\nbond, multicast/broadcast traffic triggers infinite recursion between\nbond_xmit_broadcast() and ip_tunnel_xmit()/ip6_tnl_xmit(), causing\nkernel stack overflow.\n\nThe existing XMIT_RECURSION_LIMIT (8) in the no-qdisc path is not\nsufficient because tunnel recursion involves route lookups and full IP\noutput, consuming much more stack per level. Use a lower limit of 4\n(IP_TUNNEL_RECURSION_LIMIT) to prevent overflow.\n\nAdd recursion detection using dev_xmit_recursion helpers directly in\niptunnel_xmit() and ip6tunnel_xmit() to cover all IPv4/IPv6 tunnel\npaths including UDP encapsulated tunnels (VXLAN, Geneve, etc.).\n\nMove dev_xmit_recursion helpers from net/core/dev.h to public header\ninclude/linux/netdevice.h so they can be used by tunnel code.\n\n BUG: KASAN: stack-out-of-bounds in blake2s.constprop.0+0xe7/0x160\n Write of size 32 at addr ffff88810033fed0 by task kworker/0:1/11\n Workqueue: mld mld_ifc_work\n Call Trace:\n <TASK>\n __build_flow_key.constprop.0 (net/ipv4/route.c:515)\n ip_rt_update_pmtu (net/ipv4/route.c:1073)\n iptunnel_xmit (net/ipv4/ip_tunnel_core.c:84)\n ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847)\n gre_tap_xmit (net/ipv4/ip_gre.c:779)\n dev_hard_start_xmit (net/core/dev.c:3887)\n sch_direct_xmit (net/sched/sch_generic.c:347)\n __dev_queue_xmit (net/core/dev.c:4802)\n bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312)\n bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279)\n bond_start_xmit (drivers/net/bonding/bond_main.c:5530)\n dev_hard_start_xmit (net/core/dev.c:3887)\n __dev_queue_xmit (net/core/dev.c:4841)\n ip_finish_output2 (net/ipv4/ip_output.c:237)\n ip_output (net/ipv4/ip_output.c:438)\n iptunnel_xmit (net/ipv4/ip_tunnel_core.c:86)\n gre_tap_xmit (net/ipv4/ip_gre.c:779)\n dev_hard_start_xmit (net/core/dev.c:3887)\n sch_direct_xmit (net/sched/sch_generic.c:347)\n __dev_queue_xmit (net/core/dev.c:4802)\n bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312)\n bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279)\n bond_start_xmit (drivers/net/bonding/bond_main.c:5530)\n dev_hard_start_xmit (net/core/dev.c:3887)\n __dev_queue_xmit (net/core/dev.c:4841)\n ip_finish_output2 (net/ipv4/ip_output.c:237)\n ip_output (net/ipv4/ip_output.c:438)\n iptunnel_xmit (net/ipv4/ip_tunnel_core.c:86)\n ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847)\n gre_tap_xmit (net/ipv4/ip_gre.c:779)\n dev_hard_start_xmit (net/core/dev.c:3887)\n sch_direct_xmit (net/sched/sch_generic.c:347)\n __dev_queue_xmit (net/core/dev.c:4802)\n bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312)\n bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279)\n bond_start_xmit (drivers/net/bonding/bond_main.c:5530)\n dev_hard_start_xmit (net/core/dev.c:3887)\n __dev_queue_xmit (net/core/dev.c:4841)\n mld_sendpack\n mld_ifc_work\n process_one_work\n worker_thread\n </TASK>"}], "id": "CVE-2026-23276", "lastModified": "2026-03-20T13:37:50.737", "metrics": {}, "published": "2026-03-20T09:16:13.370", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6f1a9140ecda3baba3d945b9a6155af4268aafc4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8a57deeb256069f262957d8012418559ff66c385"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b56b8d19bd05e2a8338385c770bc2b60590bc81e"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: net: add xmit recursion limit to tunnel xmit functions", "id": "2449561", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449561"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-835", "details": ["A flaw was found in the Linux kernel. When a bond device in broadcast mode has Generic Routing Encapsulation (GRE) tap interfaces configured as slaves, and these GRE tunnels are routed back through the bond, multicast or broadcast network traffic can trigger an infinite recursion. This recursion occurs within the kernel's tunnel transmit functions, leading to a kernel stack overflow. A local attacker could potentially exploit this to cause a Denial of Service (DoS) on the system."], "mitigation": {"lang": "en:us", "value": "Avoid configuring bond devices in broadcast mode with tunnel interfaces (GRE, VXLAN, Geneve) as slaves when those tunnels route back through the bond. Alternatively, use a different bonding mode such as active-backup or 802.3ad."}, "name": "CVE-2026-23276", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-20T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23276\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23276\nhttps://lore.kernel.org/linux-cve-announce/2026032035-CVE-2026-23276-7fd3@gregkh/T"], "statement": "This vulnerability requires a specific network configuration: a bonding device in broadcast mode with GRE tap tunnel slaves where the tunnels route back through the bond. When multicast or broadcast traffic is sent, the lack of recursion limits in tunnel transmit functions causes infinite recursion between bond_xmit_broadcast() and tunnel xmit functions, exhausting the kernel stack. This affects GRE, VXLAN, Geneve, and similar tunnels.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[745e20f1b626b1be4b100af5d4bf7b3439392f8f,8a57deeb256069f262957d8012418559ff66c385)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[745e20f1b626b1be4b100af5d4bf7b3439392f8f,b56b8d19bd05e2a8338385c770bc2b60590bc81e)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[745e20f1b626b1be4b100af5d4bf7b3439392f8f,6f1a9140ecda3baba3d945b9a6155af4268aafc4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "3f266b04185de51d8e6446eb1fccec3b5e7ce575"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.6.37"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,2.6.37)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.18.19,6.18.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.19.9,6.19.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc4,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-03-20T11:23:05.807037+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a version that includes the patch (commit 6f1a9140ec) which sets IP_TUNNEL_RECURSION_LIMIT to 4.", "If an upgrade is not immediately feasible, reconfigure the bond device to avoid broadcast mode or unlink GRE tap interfaces from the bond.", "Continuously monitor kernel logs for stack\u2011overrun messages or the KASAN stack\u2011overflow diagnostics described in the bug report."], "summary": {"action": "Apply Patch", "impact": "Denial of Service via kernel stack overflow"}, "threat_synthesis": {"affected_systems": "The affected system is the Linux kernel. All releases that do not include the patch adding IP_TUNNEL_RECURSION_LIMIT (commit 6f1a9140ec) are vulnerable. The vulnerability applies to both IPv4 and IPv6 tunnel paths, including GRE, VXLAN, and Geneve tunnels, when a bond device operates in broadcast mode with GRE tap slaves.", "description_and_impact": "The vulnerability resides in the Linux kernel\u2019s network layer, where tunnel transmit functions (iptunnel_xmit, ip6tunnel_xmit) lack an adequate recursion limit. When a bond device in broadcast mode contains GRE tap interfaces and those tunnels route back through the bond, multicast or broadcast traffic triggers an infinite recursion between bond_xmit_broadcast() and the tunnel functions, exhausting the kernel stack. This results in a stack overflow that causes the kernel to crash, leading to a denial of service. The weakness is reflected in CWEs 119 (Buffer Overflow) and 674 (Integer Overflow or Wraparound) due to the unchecked recursion depth.", "risk_and_exploitability": "No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, indicating no publicly disclosed exploits yet. The likely attack vector is through crafted network traffic that initiates broadcast/multicast packets on a bond device configured with GRE tap interfaces. Successful exploitation requires the attacker to influence traffic sent over the affected interface, and the impact is a kernel crash that disrupts system availability. The risk is considered high due to the severity of the crash, but the probability of exploitation depends on the presence of the specific bond and tunnel configuration."}}}}, "created": "2026-03-20T10:36:43.423549+00:00", "updated": "2026-03-20T16:27:48.005716+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}