Description
In the Linux kernel, the following vulnerability has been resolved:

tracing/dma: Cap dma_map_sg tracepoint arrays to prevent buffer overflow

The dma_map_sg tracepoint can trigger a perf buffer overflow when
tracing large scatter-gather lists. With devices like virtio-gpu
creating large DRM buffers, nents can exceed 1000 entries, resulting
in:

phys_addrs: 1000 * 8 bytes = 8,000 bytes
dma_addrs: 1000 * 8 bytes = 8,000 bytes
lengths: 1000 * 4 bytes = 4,000 bytes
Total: ~20,000 bytes

This exceeds PERF_MAX_TRACE_SIZE (8192 bytes), causing:

WARNING: CPU: 0 PID: 5497 at kernel/trace/trace_event_perf.c:405
perf buffer not large enough, wanted 24620, have 8192

Cap all three dynamic arrays at 128 entries using min() in the array
size calculation. This ensures arrays are only as large as needed
(up to the cap), avoiding unnecessary memory allocation for small
operations while preventing overflow for large ones.

The tracepoint now records the full nents/ents counts and a truncated
flag so users can see when data has been capped.

Changes in v2:
- Use min(nents, DMA_TRACE_MAX_ENTRIES) for dynamic array sizing
instead of fixed DMA_TRACE_MAX_ENTRIES allocation (feedback from
Steven Rostedt)
- This allocates only what's needed up to the cap, avoiding waste
for small operations

Reviwed-by: Sean Anderson <sean.anderson@linux.dev>
Published: 2026-03-25
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

The kernel’s dma_map_sg tracepoint can allocate dynamic arrays large enough to overflow the perf buffer. When devices such as virtio‑gpu create scatter‑gather lists with more than a thousand entries, the tracepoint attempts to record over 20 KB of data, exceeding the 8 KB limit enforced by PERF_MAX_TRACE_SIZE. This results in a buffer overflow logged as a perf buffer warning and can corrupt kernel memory, potentially leading to a system crash or denial of service. This issue is classified as a buffer overflow (CWE‑131).

Affected Systems

The vulnerability is present in the Linux kernel across all supported distributions that embed the affected code path. No specific kernel releases are listed in the advisory, so any kernel version that contains the unpatched dma_map_sg tracepoint is susceptible. The focus is on the generic implementation rather than a particular vendor.

Risk and Exploitability

Exploitability is considered low to moderate. The EPSS score is below 1 % and the vulnerability is not listed in the CISA KEV catalog, indicating limited public exploitation. Attacks would require access to a user that can trigger large scatter‑gather operations or a privileged context that enables kernel tracing. Because the flaw only manifests when the dma_map_sg tracepoint is active, a local attacker would need to enable tracing and provoke a high‑entry list, making the risk lower than a remote RCE.

Generated by OpenCVE AI on March 26, 2026 at 14:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the patch which caps dma_map_sg tracepoint arrays at 128 entries.
  • Verify that the kernel configuration enables the updated dma_map_sg tracepoint implementation.
  • Restart services or reboot to ensure the updated kernel is active.

Generated by OpenCVE AI on March 26, 2026 at 14:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-131
References

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: tracing/dma: Cap dma_map_sg tracepoint arrays to prevent buffer overflow The dma_map_sg tracepoint can trigger a perf buffer overflow when tracing large scatter-gather lists. With devices like virtio-gpu creating large DRM buffers, nents can exceed 1000 entries, resulting in: phys_addrs: 1000 * 8 bytes = 8,000 bytes dma_addrs: 1000 * 8 bytes = 8,000 bytes lengths: 1000 * 4 bytes = 4,000 bytes Total: ~20,000 bytes This exceeds PERF_MAX_TRACE_SIZE (8192 bytes), causing: WARNING: CPU: 0 PID: 5497 at kernel/trace/trace_event_perf.c:405 perf buffer not large enough, wanted 24620, have 8192 Cap all three dynamic arrays at 128 entries using min() in the array size calculation. This ensures arrays are only as large as needed (up to the cap), avoiding unnecessary memory allocation for small operations while preventing overflow for large ones. The tracepoint now records the full nents/ents counts and a truncated flag so users can see when data has been capped. Changes in v2: - Use min(nents, DMA_TRACE_MAX_ENTRIES) for dynamic array sizing instead of fixed DMA_TRACE_MAX_ENTRIES allocation (feedback from Steven Rostedt) - This allocates only what's needed up to the cap, avoiding waste for small operations Reviwed-by: Sean Anderson <sean.anderson@linux.dev>
Title tracing/dma: Cap dma_map_sg tracepoint arrays to prevent buffer overflow
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-03-25T16:49:17.786Z

Reserved: 2026-01-13T15:37:46.008Z

Link: CVE-2026-23390

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T11:16:39.567

Modified: 2026-03-25T15:41:33.977

Link: CVE-2026-23390

cve-icon Redhat

Severity :

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23390 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:47:16Z

Weaknesses