{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-23343","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-01-13T15:37:45.999Z","datePublished":"2026-03-25T10:27:31.130Z","dateUpdated":"2026-05-11T22:05:00.366Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:05:00.366Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nxdp: produce a warning when calculated tailroom is negative\n\nMany ethernet drivers report xdp Rx queue frag size as being the same as\nDMA write size. However, the only user of this field, namely\nbpf_xdp_frags_increase_tail(), clearly expects a truesize.\n\nSuch difference leads to unspecific memory corruption issues under certain\ncircumstances, e.g. in ixgbevf maximum DMA write size is 3 KB, so when\nrunning xskxceiver's XDP_ADJUST_TAIL_GROW_MULTI_BUFF, 6K packet fully uses\nall DMA-writable space in 2 buffers. This would be fine, if only\nrxq->frag_size was properly set to 4K, but value of 3K results in a\nnegative tailroom, because there is a non-zero page offset.\n\nWe are supposed to return -EINVAL and be done with it in such case, but due\nto tailroom being stored as an unsigned int, it is reported to be somewhere\nnear UINT_MAX, resulting in a tail being grown, even if the requested\noffset is too much (it is around 2K in the abovementioned test). This later\nleads to all kinds of unspecific calltraces.\n\n[ 7340.337579] xskxceiver[1440]: segfault at 1da718 ip 00007f4161aeac9d sp 00007f41615a6a00 error 6\n[ 7340.338040] xskxceiver[1441]: segfault at 7f410000000b ip 00000000004042b5 sp 00007f415bffecf0 error 4\n[ 7340.338179]  in libc.so.6[61c9d,7f4161aaf000+160000]\n[ 7340.339230]  in xskxceiver[42b5,400000+69000]\n[ 7340.340300]  likely on CPU 6 (core 0, socket 6)\n[ 7340.340302] Code: ff ff 01 e9 f4 fe ff ff 0f 1f 44 00 00 4c 39 f0 74 73 31 c0 ba 01 00 00 00 f0 0f b1 17 0f 85 ba 00 00 00 49 8b 87 88 00 00 00 <4c> 89 70 08 eb cc 0f 1f 44 00 00 48 8d bd f0 fe ff ff 89 85 ec fe\n[ 7340.340888]  likely on CPU 3 (core 0, socket 3)\n[ 7340.345088] Code: 00 00 00 ba 00 00 00 00 be 00 00 00 00 89 c7 e8 31 ca ff ff 89 45 ec 8b 45 ec 85 c0 78 07 b8 00 00 00 00 eb 46 e8 0b c8 ff ff <8b> 00 83 f8 69 74 24 e8 ff c7 ff ff 8b 00 83 f8 0b 74 18 e8 f3 c7\n[ 7340.404334] Oops: general protection fault, probably for non-canonical address 0x6d255010bdffc: 0000 [#1] SMP NOPTI\n[ 7340.405972] CPU: 7 UID: 0 PID: 1439 Comm: xskxceiver Not tainted 6.19.0-rc1+ #21 PREEMPT(lazy)\n[ 7340.408006] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-5.fc42 04/01/2014\n[ 7340.409716] RIP: 0010:lookup_swap_cgroup_id+0x44/0x80\n[ 7340.410455] Code: 83 f8 1c 73 39 48 ba ff ff ff ff ff ff ff 03 48 8b 04 c5 20 55 fa bd 48 21 d1 48 89 ca 83 e1 01 48 d1 ea c1 e1 04 48 8d 04 90 <8b> 00 48 83 c4 10 d3 e8 c3 cc cc cc cc 31 c0 e9 98 b7 dd 00 48 89\n[ 7340.412787] RSP: 0018:ffffcc5c04f7f6d0 EFLAGS: 00010202\n[ 7340.413494] RAX: 0006d255010bdffc RBX: ffff891f477895a8 RCX: 0000000000000010\n[ 7340.414431] RDX: 0001c17e3fffffff RSI: 00fa070000000000 RDI: 000382fc7fffffff\n[ 7340.415354] RBP: 00fa070000000000 R08: ffffcc5c04f7f8f8 R09: ffffcc5c04f7f7d0\n[ 7340.416283] R10: ffff891f4c1a7000 R11: ffffcc5c04f7f9c8 R12: ffffcc5c04f7f7d0\n[ 7340.417218] R13: 03ffffffffffffff R14: 00fa06fffffffe00 R15: ffff891f47789500\n[ 7340.418229] FS:  0000000000000000(0000) GS:ffff891ffdfaa000(0000) knlGS:0000000000000000\n[ 7340.419489] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 7340.420286] CR2: 00007f415bfffd58 CR3: 0000000103f03002 CR4: 0000000000772ef0\n[ 7340.421237] PKRU: 55555554\n[ 7340.421623] Call Trace:\n[ 7340.421987]  <TASK>\n[ 7340.422309]  ? softleaf_from_pte+0x77/0xa0\n[ 7340.422855]  swap_pte_batch+0xa7/0x290\n[ 7340.423363]  zap_nonpresent_ptes.constprop.0.isra.0+0xd1/0x270\n[ 7340.424102]  zap_pte_range+0x281/0x580\n[ 7340.424607]  zap_pmd_range.isra.0+0xc9/0x240\n[ 7340.425177]  unmap_page_range+0x24d/0x420\n[ 7340.425714]  unmap_vmas+0xa1/0x180\n[ 7340.426185]  exit_mmap+0xe1/0x3b0\n[ 7340.426644]  __mmput+0x41/0x150\n[ 7340.427098]  exit_mm+0xb1/0x110\n[ 7340.427539]  do_exit+0x1b2/0x460\n[ 7340.427992]  do_group_exit+0x2d/0xc0\n[ 7340.428477]  get_signal+0x79d/0x7e0\n[ 7340.428957]  arch_do_signal_or_restart+0x34/0x100\n[ 7340.429571]  exit_to_user_mode_loop+0x8e/0x4c0\n[ 7340.430159]  do_syscall_64+0x188/\n---truncated---"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/core/filter.c"],"versions":[{"version":"bf25146a5595269810b1f47d048f114c5ff9f544","lessThan":"01379540452a02bbc52f639d45dd365cd3624efb","status":"affected","versionType":"git"},{"version":"bf25146a5595269810b1f47d048f114c5ff9f544","lessThan":"a0fb59f527d03c60b2cd547cfae4a842ad84670f","status":"affected","versionType":"git"},{"version":"bf25146a5595269810b1f47d048f114c5ff9f544","lessThan":"c7c790a07697148c41e2d03eb28efe132adda749","status":"affected","versionType":"git"},{"version":"bf25146a5595269810b1f47d048f114c5ff9f544","lessThan":"98cd8b4d0b836d3edf70161f40efd9cbb8c8f252","status":"affected","versionType":"git"},{"version":"bf25146a5595269810b1f47d048f114c5ff9f544","lessThan":"94b9da7e9f958cb3d115b21eff824ecd8c3217aa","status":"affected","versionType":"git"},{"version":"bf25146a5595269810b1f47d048f114c5ff9f544","lessThan":"8821e857759be9db3cde337ad328b71fe5c8a55f","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/core/filter.c"],"versions":[{"version":"5.18","status":"affected"},{"version":"0","lessThan":"5.18","status":"unaffected","versionType":"semver"},{"version":"6.1.167","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.130","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.77","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.17","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.7","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.18","versionEndExcluding":"6.1.167"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.18","versionEndExcluding":"6.6.130"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.18","versionEndExcluding":"6.12.77"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.18","versionEndExcluding":"6.18.17"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.18","versionEndExcluding":"6.19.7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.18","versionEndExcluding":"7.0"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/01379540452a02bbc52f639d45dd365cd3624efb"},{"url":"https://git.kernel.org/stable/c/a0fb59f527d03c60b2cd547cfae4a842ad84670f"},{"url":"https://git.kernel.org/stable/c/c7c790a07697148c41e2d03eb28efe132adda749"},{"url":"https://git.kernel.org/stable/c/98cd8b4d0b836d3edf70161f40efd9cbb8c8f252"},{"url":"https://git.kernel.org/stable/c/94b9da7e9f958cb3d115b21eff824ecd8c3217aa"},{"url":"https://git.kernel.org/stable/c/8821e857759be9db3cde337ad328b71fe5c8a55f"}],"title":"xdp: produce a warning when calculated tailroom is negative","x_generator":{"engine":"bippy-1.2.0"}}}}