CVE-2026-23459 - Vulnerability Details

- ip_tunnel: adapt iptunnel_xmit_stats() to NETDEV_PCPU_STAT_DSTATS

Description

In the Linux kernel, the following vulnerability has been resolved:

ip_tunnel: adapt iptunnel_xmit_stats() to NETDEV_PCPU_STAT_DSTATS

Blamed commits forgot that vxlan/geneve use udp_tunnel[6]_xmit_skb() which
call iptunnel_xmit_stats().

iptunnel_xmit_stats() was assuming tunnels were only using
NETDEV_PCPU_STAT_TSTATS.

@syncp offset in pcpu_sw_netstats and pcpu_dstats is different.

32bit kernels would either have corruptions or freezes if the syncp
sequence was overwritten.

This patch also moves pcpu_stat_type closer to dev->{t,d}stats to avoid
a potential cache line miss since iptunnel_xmit_stats() needs to read it.

Published: 2026-04-03

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel’s iptunnel_xmit_stats() function incorrectly assumed all tunnel interfaces used NETDEV_PCPU_STAT_TSTATS, but VXLAN and Geneve tunnels use NETDEV_PCPU_STAT_DSTATS. On 32‑bit kernels the differing offset between pcpu_sw_netstats and pcpu_dstats can overwrite the syncp sequence, leading to memory corruption and a system freeze. This results in a denial‑of‑service condition that can be brought on by traffic sent over the affected tunnels.

Affected Systems

Any system running a Linux kernel version prior to the inclusion of the iptunnel patch is susceptible. The issue is most severe on 32‑bit architectures, but any kernel exposed to VXLAN or Geneve traffic without the patch could experience statistics corruption, regardless of vendor kernel build.

Risk and Exploitability

The CVSS score is not supplied, but the nature of the memory corruption indicates a high‑impact flaw. EPSS information is unavailable and the vulnerability is not listed in the CISA KEV catalog. Inferred likely attack vectors involve an attacker who can send traffic over VXLAN or Geneve interfaces to the host, either from inside the network or from an external source capable of reaching the tunnel endpoints. Successful exploitation would result in a crash or hang, disrupting availability.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`be226352e8dc77d3313c096b2d8e7f69bf6980fc`	affected	< 0d087d00161f562d5047cc4009bb0c6a19daf9f1
`be226352e8dc77d3313c096b2d8e7f69bf6980fc`	affected	< 8431c602f551549f082bbfa67f3003f2d8e3e132

Linux

affected

Version	Status	Constraints
`6.14`	affected	—
`0`	unaffected	< 6.14
`6.19.10`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[be226352e8dc77d3313c096b2d8e7f69bf6980fc,0d087d00161f562d5047cc4009bb0c6a19daf9f1)`	affected	code_commit	—
`[be226352e8dc77d3313c096b2d8e7f69bf6980fc,8431c602f551549f082bbfa67f3003f2d8e3e132)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.14`	affected	generic	—
`[0,6.14)`	unaffected	generic	—
`[6.19.10,7.0.0)`	unaffected	semver	—
`[7.0-rc5,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Linux kernel update that includes the iptunnel statistics patch.
If an immediate update is not possible, disable VXLAN and Geneve interfaces until the fix is deployed.
Verify that no tunnel traffic can deliver packets to the system during the mitigation period.
Monitor kernel logs for signs of statistics corruption or unexpected freezes.
Stay current with vendor security advisories to apply subsequent updates promptly.

Generated by OpenCVE AI on April 4, 2026 at 04:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00024.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0d087d00161f562d5047cc4009bb0c6a19daf9f1
https://git.kernel.org/stable/c/8431c602f551549f082bbfa67f3003f2d8e3e132
https://lore.kernel.org/linux-cve-announce/2026040319-CVE-2026-23459-fcfb@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23459
https://www.cve.org/CVERecord?id=CVE-2026-23459

History

Sat, 04 Apr 2026 01:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-821
References		https://lore.kernel.org/linux-cve-announce/2026040319-CVE-2026-23459-fcfb@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23459 https://www.cve.org/CVERecord?id=CVE-2026-23459

Fri, 03 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ip_tunnel: adapt iptunnel_xmit_stats() to NETDEV_PCPU_STAT_DSTATS Blamed commits forgot that vxlan/geneve use udp_tunnel[6]_xmit_skb() which call iptunnel_xmit_stats(). iptunnel_xmit_stats() was assuming tunnels were only using NETDEV_PCPU_STAT_TSTATS. @syncp offset in pcpu_sw_netstats and pcpu_dstats is different. 32bit kernels would either have corruptions or freezes if the syncp sequence was overwritten. This patch also moves pcpu_stat_type closer to dev->{t,d}stats to avoid a potential cache line miss since iptunnel_xmit_stats() needs to read it.
Title		ip_tunnel: adapt iptunnel_xmit_stats() to NETDEV_PCPU_STAT_DSTATS
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0d087d00161f562d5047cc4009bb0c6a19daf9f1 https://git.kernel.org/stable/c/8431c602f551549f082bbfa67f3003f2d8e3e132

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-03T15:15:39.665Z

Updated: 2026-04-13T06:07:52.682Z

Reserved: 2026-01-13T15:37:46.021Z

Link: CVE-2026-23459

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-04-03T16:16:32.833

Modified: 2026-04-07T13:21:09.600

Link: CVE-2026-23459

Redhat

Severity :

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-23459 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-07T07:17:20Z

Weaknesses

CWE-821

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object