Description
In the Linux kernel, the following vulnerability has been resolved:

ice: change XDP RxQ frag_size from DMA write length to xdp.frame_sz

The only user of frag_size field in XDP RxQ info is
bpf_xdp_frags_increase_tail(). It clearly expects whole buff size instead
of DMA write size. Different assumptions in ice driver configuration lead
to negative tailroom.

This allows to trigger kernel panic, when using
XDP_ADJUST_TAIL_GROW_MULTI_BUFF xskxceiver test and changing packet size to
6912 and the requested offset to a huge value, e.g.
XSK_UMEM__MAX_FRAME_SIZE * 100.

Due to other quirks of the ZC configuration in ice, panic is not observed
in ZC mode, but tailroom growing still fails when it should not.

Use fill queue buffer truesize instead of DMA write size in XDP RxQ info.
Fix ZC mode too by using the new helper.
Published: 2026-03-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via Kernel Panic
Action: Patch Kernel
AI Analysis

Impact

The vulnerability resides in the ice driver’s handling of the XDP Receive Queue frag_size field. The field was incorrectly set to the DMA write length rather than the full XDP frame size, causing the helper bpf_xdp_frags_increase_tail() to compute an incorrect tailroom size. When an XDP program uses the XDP_ADJUST_TAIL_GROW_MULTI_BUFF operation with an oversized packet size and a very large offset, the driver attempts to grow the tailroom based on a negative value, triggering a kernel panic. This flaw is classified as a classic integer overflow/underflow (CWE‑131) and results in a system‑wide denial of service. The patch replaces frag_size with the true queue buffer size and also fixes zero‑copy mode.

Affected Systems

This issue affects all Linux kernel releases that ship the unpatched ice network driver. The ice driver is used for Intel Ethernet controllers in the Linux kernel. No specific kernel version range is provided in the advisory, so any kernel that has not yet incorporated the change to compute frag_size correctly may be vulnerable. Vendors that distribute kernels containing the legacy ice driver need to ensure the fix is included before exposing the kernel to user‑programmed XDP logic.

Risk and Exploitability

The CVSS score of 7.0 denotes medium severity. The EPSS value is under 1%, and the vulnerability is not listed in the CISA KEV catalog, indicating a relatively low probability of mass exploitation. Nonetheless, the flaw requires an attacker to induce a specially crafted XDP packet path that invokes the problematic tail‑growth operation. Such a scenario is feasible only on systems that allow custom XDP programs on the ice driver, so while exploitation is possible, it may be limited to targeted or privileged environments.

Generated by OpenCVE AI on March 26, 2026 at 14:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to include the patch that corrects frag_size handling in the ice driver.
  • If a kernel upgrade cannot be performed immediately, refrain from using XDP_ADJUST_TAIL_GROW_MULTI_BUFF with packet sizes beyond 6912 bytes or with excessively large offsets.
  • If XDP functionality on the ice device is not required, disable the XDP path to eliminate the attacker’s attack surface.
  • Monitor kernel logs for panics or related error messages and apply the vendor’s latest patch as soon as it becomes available.

Generated by OpenCVE AI on March 26, 2026 at 14:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 24 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:6.3:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-681

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-131
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-681

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ice: change XDP RxQ frag_size from DMA write length to xdp.frame_sz The only user of frag_size field in XDP RxQ info is bpf_xdp_frags_increase_tail(). It clearly expects whole buff size instead of DMA write size. Different assumptions in ice driver configuration lead to negative tailroom. This allows to trigger kernel panic, when using XDP_ADJUST_TAIL_GROW_MULTI_BUFF xskxceiver test and changing packet size to 6912 and the requested offset to a huge value, e.g. XSK_UMEM__MAX_FRAME_SIZE * 100. Due to other quirks of the ZC configuration in ice, panic is not observed in ZC mode, but tailroom growing still fails when it should not. Use fill queue buffer truesize instead of DMA write size in XDP RxQ info. Fix ZC mode too by using the new helper.
Title ice: change XDP RxQ frag_size from DMA write length to xdp.frame_sz
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-13T06:06:12.775Z

Reserved: 2026-01-13T15:37:46.006Z

Link: CVE-2026-23377

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T11:16:37.520

Modified: 2026-04-24T16:23:12.463

Link: CVE-2026-23377

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23377 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:49:03Z

Weaknesses