CVE-2026-23386 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

gve: fix incorrect buffer cleanup in gve_tx_clean_pending_packets for QPL

In DQ-QPL mode, gve_tx_clean_pending_packets() incorrectly uses the RDA
buffer cleanup path. It iterates num_bufs times and attempts to unmap
entries in the dma array.

This leads to two issues:
1. The dma array shares storage with tx_qpl_buf_ids (union).
Interpreting buffer IDs as DMA addresses results in attempting to
unmap incorrect memory locations.
2. num_bufs in QPL mode (counting 2K chunks) can significantly exceed
the size of the dma array, causing out-of-bounds access warnings
(trace below is how we noticed this issue).

UBSAN: array-index-out-of-bounds in
drivers/net/ethernet/drivers/net/ethernet/google/gve/gve_tx_dqo.c:178:5 index 18 is out of
range for type 'dma_addr_t[18]' (aka 'unsigned long long[18]')
Workqueue: gve gve_service_task [gve]
Call Trace:
<TASK>
dump_stack_lvl+0x33/0xa0
__ubsan_handle_out_of_bounds+0xdc/0x110
gve_tx_stop_ring_dqo+0x182/0x200 [gve]
gve_close+0x1be/0x450 [gve]
gve_reset+0x99/0x120 [gve]
gve_service_task+0x61/0x100 [gve]
process_scheduled_works+0x1e9/0x380

Fix this by properly checking for QPL mode and delegating to
gve_free_tx_qpl_bufs() to reclaim the buffers.

Published: 2026-03-25

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The gve driver in the Linux kernel contains a flaw in the gve_tx_clean_pending_packets function when operating in DQ-QPL mode. It incorrectly reuses the RDA buffer cleanup path, interpreting buffer IDs as DMA addresses and iterating beyond the bounds of the dma array. This causes attempts to unmap incorrect memory locations and can trigger out-of-bounds array access, which in turn may lead to kernel panics or unpredictable behavior. The vulnerability is a memory corruption issue that can destabilise the system but does not provide remote code execution. The description explicitly mentions out‑of‑bounds access warnings and the need for a fix that properly checks for QPL mode and delegates cleanup to gve_free_tx_qpl_bufs().

Affected Systems

Any Linux kernel build that includes the gve driver and has not yet applied the patch that resolves CVE‑2026‑23386 is vulnerable. The vendor of the affected product is Linux and the product is the Linux kernel. Specific version numbers are not listed in the advisory, but the vulnerability applies to all kernels that expose the gve driver and run in DQ‑QPL mode.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity. The EPSS score of less than 1% suggests a low likelihood of exploitation in the wild, and the vulnerability is not currently listed in the CISA KEV catalog. The bug appears to require local interaction with the gve driver—likely through normal network traffic or driver activity—to trigger, so it is inferred that the attack vector is local. No public exploit has been reported, and the impact is primarily a denial of service through kernel crashes.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`a6fb8d5a8b6925f1e635818d3dd2d89531d4a058`	affected	< 71511dae56a75ce161aa746741e5c498feaea393
`a6fb8d5a8b6925f1e635818d3dd2d89531d4a058`	affected	< c171f90f58974c784db25e0606051541cb71b7f0
`a6fb8d5a8b6925f1e635818d3dd2d89531d4a058`	affected	< 07e0c80e17ef781799e7cd5c41a7bf44f1bf6a5f
`a6fb8d5a8b6925f1e635818d3dd2d89531d4a058`	affected	< 3744ebd8ffaa542ae8110fb449adcac0202f4cc8
`a6fb8d5a8b6925f1e635818d3dd2d89531d4a058`	affected	< fb868db5f4bccd7a78219313ab2917429f715cea

Linux

affected

Version	Status	Constraints
`6.6`	affected	—
`0`	unaffected	< 6.6
`6.6.130`	unaffected	≤ 6.6.*
`6.12.78`	unaffected	≤ 6.12.*
`6.18.17`	unaffected	≤ 6.18.*
`6.19.7`	unaffected	≤ 6.19.*
`7.0-rc2`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[a6fb8d5a8b6925f1e635818d3dd2d89531d4a058,71511dae56a75ce161aa746741e5c498feaea393)`	affected	code_commit	—
`[a6fb8d5a8b6925f1e635818d3dd2d89531d4a058,c171f90f58974c784db25e0606051541cb71b7f0)`	affected	code_commit	—
`[a6fb8d5a8b6925f1e635818d3dd2d89531d4a058,07e0c80e17ef781799e7cd5c41a7bf44f1bf6a5f)`	affected	code_commit	—
`[a6fb8d5a8b6925f1e635818d3dd2d89531d4a058,3744ebd8ffaa542ae8110fb449adcac0202f4cc8)`	affected	code_commit	—
`[a6fb8d5a8b6925f1e635818d3dd2d89531d4a058,fb868db5f4bccd7a78219313ab2917429f715cea)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.6`	affected	generic	—
`[0,6.6)`	unaffected	generic	—
`[6.6.130,6.7.0)`	unaffected	semver	—
`[6.12.78,6.13.0)`	unaffected	semver	—
`[6.18.17,6.19.0)`	unaffected	semver	—
`[6.19.7,7.0.0)`	unaffected	semver	—
`[7.0-rc2,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Linux kernel update that includes the CVE‑2026‑23386 patch
Verify that the gve driver is updated to the fixed version on all systems
Regularly monitor kernel logs for UBSAN or out‑of‑bounds warnings associated with the gve driver
If immediate patch deployment is not possible, consider disabling QPL mode or isolating the affected hardware until the patch is available.

Generated by OpenCVE AI on March 26, 2026 at 14:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/07e0c80e17ef781799e7cd5c41a7bf44f1bf6a5f
https://git.kernel.org/stable/c/3744ebd8ffaa542ae8110fb449adcac0202f4cc8
https://git.kernel.org/stable/c/71511dae56a75ce161aa746741e5c498feaea393
https://git.kernel.org/stable/c/c171f90f58974c784db25e0606051541cb71b7f0
https://git.kernel.org/stable/c/fb868db5f4bccd7a78219313ab2917429f715cea
https://lore.kernel.org/linux-cve-announce/2026032544-CVE-2026-23386-acc4@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23386
https://www.cve.org/CVERecord?id=CVE-2026-23386

History

Thu, 26 Mar 2026 12:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-125 CWE-787

Thu, 26 Mar 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-1285
References		https://lore.kernel.org/linux-cve-announce/2026032544-CVE-2026-23386-acc4@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23386 https://www.cve.org/CVERecord?id=CVE-2026-23386
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Wed, 25 Mar 2026 22:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-125 CWE-787

Wed, 25 Mar 2026 10:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: gve: fix incorrect buffer cleanup in gve_tx_clean_pending_packets for QPL In DQ-QPL mode, gve_tx_clean_pending_packets() incorrectly uses the RDA buffer cleanup path. It iterates num_bufs times and attempts to unmap entries in the dma array. This leads to two issues: 1. The dma array shares storage with tx_qpl_buf_ids (union). Interpreting buffer IDs as DMA addresses results in attempting to unmap incorrect memory locations. 2. num_bufs in QPL mode (counting 2K chunks) can significantly exceed the size of the dma array, causing out-of-bounds access warnings (trace below is how we noticed this issue). UBSAN: array-index-out-of-bounds in drivers/net/ethernet/drivers/net/ethernet/google/gve/gve_tx_dqo.c:178:5 index 18 is out of range for type 'dma_addr_t[18]' (aka 'unsigned long long[18]') Workqueue: gve gve_service_task [gve] Call Trace: <TASK> dump_stack_lvl+0x33/0xa0 __ubsan_handle_out_of_bounds+0xdc/0x110 gve_tx_stop_ring_dqo+0x182/0x200 [gve] gve_close+0x1be/0x450 [gve] gve_reset+0x99/0x120 [gve] gve_service_task+0x61/0x100 [gve] process_scheduled_works+0x1e9/0x380 Fix this by properly checking for QPL mode and delegating to gve_free_tx_qpl_bufs() to reclaim the buffers.
Title		gve: fix incorrect buffer cleanup in gve_tx_clean_pending_packets for QPL
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/07e0c80e17ef781799e7cd5c41a7bf44f1bf6a5f https://git.kernel.org/stable/c/3744ebd8ffaa542ae8110fb449adcac0202f4cc8 https://git.kernel.org/stable/c/71511dae56a75ce161aa746741e5c498feaea393 https://git.kernel.org/stable/c/c171f90f58974c784db25e0606051541cb71b7f0 https://git.kernel.org/stable/c/fb868db5f4bccd7a78219313ab2917429f715cea

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-03-25T10:28:04.118Z

Updated: 2026-03-25T10:28:04.118Z

Reserved: 2026-01-13T15:37:46.008Z

Link: CVE-2026-23386

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-03-25T11:16:38.960

Modified: 2026-03-25T15:41:33.977

Link: CVE-2026-23386

Redhat

Severity : Moderate

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23386 - Bugzilla

OpenCVE Enrichment

Updated: 2026-03-27T09:48:54Z

Weaknesses

CWE-1285

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object