{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-23276","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-01-13T15:37:45.991Z","datePublished":"2026-03-20T08:08:56.575Z","dateUpdated":"2026-05-11T22:03:44.045Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:03:44.045Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: add xmit recursion limit to tunnel xmit functions\n\nTunnel xmit functions (iptunnel_xmit, ip6tunnel_xmit) lack their own\nrecursion limit. When a bond device in broadcast mode has GRE tap\ninterfaces as slaves, and those GRE tunnels route back through the\nbond, multicast/broadcast traffic triggers infinite recursion between\nbond_xmit_broadcast() and ip_tunnel_xmit()/ip6_tnl_xmit(), causing\nkernel stack overflow.\n\nThe existing XMIT_RECURSION_LIMIT (8) in the no-qdisc path is not\nsufficient because tunnel recursion involves route lookups and full IP\noutput, consuming much more stack per level. Use a lower limit of 4\n(IP_TUNNEL_RECURSION_LIMIT) to prevent overflow.\n\nAdd recursion detection using dev_xmit_recursion helpers directly in\niptunnel_xmit() and ip6tunnel_xmit() to cover all IPv4/IPv6 tunnel\npaths including UDP encapsulated tunnels (VXLAN, Geneve, etc.).\n\nMove dev_xmit_recursion helpers from net/core/dev.h to public header\ninclude/linux/netdevice.h so they can be used by tunnel code.\n\n BUG: KASAN: stack-out-of-bounds in blake2s.constprop.0+0xe7/0x160\n Write of size 32 at addr ffff88810033fed0 by task kworker/0:1/11\n Workqueue: mld mld_ifc_work\n Call Trace:\n  <TASK>\n  __build_flow_key.constprop.0 (net/ipv4/route.c:515)\n  ip_rt_update_pmtu (net/ipv4/route.c:1073)\n  iptunnel_xmit (net/ipv4/ip_tunnel_core.c:84)\n  ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847)\n  gre_tap_xmit (net/ipv4/ip_gre.c:779)\n  dev_hard_start_xmit (net/core/dev.c:3887)\n  sch_direct_xmit (net/sched/sch_generic.c:347)\n  __dev_queue_xmit (net/core/dev.c:4802)\n  bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312)\n  bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279)\n  bond_start_xmit (drivers/net/bonding/bond_main.c:5530)\n  dev_hard_start_xmit (net/core/dev.c:3887)\n  __dev_queue_xmit (net/core/dev.c:4841)\n  ip_finish_output2 (net/ipv4/ip_output.c:237)\n  ip_output (net/ipv4/ip_output.c:438)\n  iptunnel_xmit (net/ipv4/ip_tunnel_core.c:86)\n  gre_tap_xmit (net/ipv4/ip_gre.c:779)\n  dev_hard_start_xmit (net/core/dev.c:3887)\n  sch_direct_xmit (net/sched/sch_generic.c:347)\n  __dev_queue_xmit (net/core/dev.c:4802)\n  bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312)\n  bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279)\n  bond_start_xmit (drivers/net/bonding/bond_main.c:5530)\n  dev_hard_start_xmit (net/core/dev.c:3887)\n  __dev_queue_xmit (net/core/dev.c:4841)\n  ip_finish_output2 (net/ipv4/ip_output.c:237)\n  ip_output (net/ipv4/ip_output.c:438)\n  iptunnel_xmit (net/ipv4/ip_tunnel_core.c:86)\n  ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847)\n  gre_tap_xmit (net/ipv4/ip_gre.c:779)\n  dev_hard_start_xmit (net/core/dev.c:3887)\n  sch_direct_xmit (net/sched/sch_generic.c:347)\n  __dev_queue_xmit (net/core/dev.c:4802)\n  bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312)\n  bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279)\n  bond_start_xmit (drivers/net/bonding/bond_main.c:5530)\n  dev_hard_start_xmit (net/core/dev.c:3887)\n  __dev_queue_xmit (net/core/dev.c:4841)\n  mld_sendpack\n  mld_ifc_work\n  process_one_work\n  worker_thread\n  </TASK>"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["include/linux/netdevice.h","include/net/ip6_tunnel.h","include/net/ip_tunnels.h","net/core/dev.h","net/ipv4/ip_tunnel_core.c"],"versions":[{"version":"745e20f1b626b1be4b100af5d4bf7b3439392f8f","lessThan":"834c4f645726a25fd71ea50cdfb5c135f8f95d85","status":"affected","versionType":"git"},{"version":"745e20f1b626b1be4b100af5d4bf7b3439392f8f","lessThan":"8a57deeb256069f262957d8012418559ff66c385","status":"affected","versionType":"git"},{"version":"745e20f1b626b1be4b100af5d4bf7b3439392f8f","lessThan":"b56b8d19bd05e2a8338385c770bc2b60590bc81e","status":"affected","versionType":"git"},{"version":"745e20f1b626b1be4b100af5d4bf7b3439392f8f","lessThan":"6f1a9140ecda3baba3d945b9a6155af4268aafc4","status":"affected","versionType":"git"},{"version":"3f266b04185de51d8e6446eb1fccec3b5e7ce575","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["include/linux/netdevice.h","include/net/ip6_tunnel.h","include/net/ip_tunnels.h","net/core/dev.h","net/ipv4/ip_tunnel_core.c"],"versions":[{"version":"2.6.37","status":"affected"},{"version":"0","lessThan":"2.6.37","status":"unaffected","versionType":"semver"},{"version":"6.12.78","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.19","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.9","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.37","versionEndExcluding":"6.12.78"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.37","versionEndExcluding":"6.18.19"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.37","versionEndExcluding":"6.19.9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.37","versionEndExcluding":"7.0"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.35.9"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/834c4f645726a25fd71ea50cdfb5c135f8f95d85"},{"url":"https://git.kernel.org/stable/c/8a57deeb256069f262957d8012418559ff66c385"},{"url":"https://git.kernel.org/stable/c/b56b8d19bd05e2a8338385c770bc2b60590bc81e"},{"url":"https://git.kernel.org/stable/c/6f1a9140ecda3baba3d945b9a6155af4268aafc4"}],"title":"net: add xmit recursion limit to tunnel xmit functions","x_generator":{"engine":"bippy-1.2.0"}}}}