Description
In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix stack-out-of-bounds write in devmap

get_upper_ifindexes() iterates over all upper devices and writes their
indices into an array without checking bounds.

Also the callers assume that the max number of upper devices is
MAX_NEST_DEV and allocate excluded_devices[1+MAX_NEST_DEV] on the stack,
but that assumption is not correct and the number of upper devices could
be larger than MAX_NEST_DEV (e.g., many macvlans), causing a
stack-out-of-bounds write.

Add a max parameter to get_upper_ifindexes() to avoid the issue.
When there are too many upper devices, return -EOVERFLOW and abort the
redirect.

To reproduce, create more than MAX_NEST_DEV(8) macvlans on a device with
an XDP program attached using BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS.
Then send a packet to the device to trigger the XDP redirect path.
Published: 2026-03-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory corruption due to stack‑out‑of‑bounds write in BPF device mapping
Action: Patch
AI Analysis

Impact

The Linux kernel function get_upper_ifindexes() writes indices of upper network devices into an array without enforcing a boundary check. Callers assume the number of upper devices never exceeds the maximum, MAX_NEST_DEV, and allocate an array of size 1+MAX_NEST_DEV on the stack. In practice, the count can be larger—especially with many virtual interfaces such as macVLANs—leading to a stack‑out‑of‑bounds write. Based on the description, this memory corruption could destabilize the kernel or lead to privilege escalation if an attacker can influence the redirect path of an XDP program. The likely attack vector involves a local or privileged user loading a BPF program that uses the BPF_F_BROADCAST and BPF_F_EXCLUDE_INGRESS flags on a device with many upper interfaces, then sending traffic to trigger the faulty redirect logic.

Affected Systems

Affected systems include any Linux kernel builds that contain the unpatched implementation of get_upper_ifindexes() and its callers. The specific kernel versions are not enumerated in the advisory, so all kernels upstream of the fix commit are considered vulnerable. The CVE references Linux:Linux for the affected vendor and product. The assumption that the vulnerability only applies to kernels with XDP programs attached to devices that host many macVLANs is inferred from the reproduction steps; however, any system capable of creating such a configuration would be at risk.

Risk and Exploitability

The CVSS score of 5.5 reflects moderate severity, while the EPSS score of less than 1 % suggests a low probability of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely exploitation scenario requires the attacker to have the ability to load a BPF program with specific flags and to configure a device with more than eight upper interfaces; this indicates a local or privileged attack surface rather than a remote vector. The attack can lead to a denial of service by crashing the kernel or, in a more advanced scenario, to privilege escalation through kernel memory corruption.

Generated by OpenCVE AI on April 15, 2026 at 19:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes the patch commit released on 2026‑03‑25
  • If a kernel upgrade is not immediately possible, restrict the use of XDP programs with the BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS flags on devices that may host many macVLANs, thereby preventing the out‑of‑bounds write from being triggered
  • Continuously monitor system logs for XDP failures or kernel panics that may indicate exploitation attempts

Generated by OpenCVE AI on April 15, 2026 at 19:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
References

Wed, 15 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-121

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-121

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: bpf: Fix stack-out-of-bounds write in devmap get_upper_ifindexes() iterates over all upper devices and writes their indices into an array without checking bounds. Also the callers assume that the max number of upper devices is MAX_NEST_DEV and allocate excluded_devices[1+MAX_NEST_DEV] on the stack, but that assumption is not correct and the number of upper devices could be larger than MAX_NEST_DEV (e.g., many macvlans), causing a stack-out-of-bounds write. Add a max parameter to get_upper_ifindexes() to avoid the issue. When there are too many upper devices, return -EOVERFLOW and abort the redirect. To reproduce, create more than MAX_NEST_DEV(8) macvlans on a device with an XDP program attached using BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS. Then send a packet to the device to trigger the XDP redirect path.
Title bpf: Fix stack-out-of-bounds write in devmap
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-18T08:58:10.801Z

Reserved: 2026-01-13T15:37:46.000Z

Link: CVE-2026-23359

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T11:16:34.740

Modified: 2026-04-18T09:16:21.097

Link: CVE-2026-23359

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23359 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T19:45:12Z

Weaknesses