CVE-2026-23143

{"id": "CVE-2026-23143", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2026-02-14T16:15:54.383", "references": [{"url": "https://git.kernel.org/stable/c/4156c3745f06bc197094b9ee97a9584e69ed00bf", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ae48108c2310f1dd700e0dbb655c2f1d92ed00fc", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_net: Fix misalignment bug in struct virtnet_info\n\nUse the new TRAILING_OVERLAP() helper to fix a misalignment bug\nalong with the following warning:\n\ndrivers/net/virtio_net.c:429:46: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end]\n\nThis helper creates a union between a flexible-array member (FAM)\nand a set of members that would otherwise follow it (in this case\n`u8 rss_hash_key_data[VIRTIO_NET_RSS_MAX_KEY_SIZE];`). This\noverlays the trailing members (rss_hash_key_data) onto the FAM\n(hash_key_data) while keeping the FAM and the start of MEMBERS aligned.\nThe static_assert() ensures this alignment remains.\n\nNotice that due to tail padding in flexible `struct\nvirtio_net_rss_config_trailer`, `rss_trailer.hash_key_data`\n(at offset 83 in struct virtnet_info) and `rss_hash_key_data` (at\noffset 84 in struct virtnet_info) are misaligned by one byte. See\nbelow:\n\nstruct virtio_net_rss_config_trailer {\n __le16 max_tx_vq; /* 0 2 */\n __u8 hash_key_length; /* 2 1 */\n __u8 hash_key_data[]; /* 3 0 */\n\n /* size: 4, cachelines: 1, members: 3 */\n /* padding: 1 */\n /* last cacheline: 4 bytes */\n};\n\nstruct virtnet_info {\n...\n struct virtio_net_rss_config_trailer rss_trailer; /* 80 4 */\n\n /* XXX last struct has 1 byte of padding */\n\n u8 rss_hash_key_data[40]; /* 84 40 */\n...\n /* size: 832, cachelines: 13, members: 48 */\n /* sum members: 801, holes: 8, sum holes: 31 */\n /* paddings: 2, sum paddings: 5 */\n};\n\nAfter changes, those members are correctly aligned at offset 795:\n\nstruct virtnet_info {\n...\n union {\n struct virtio_net_rss_config_trailer rss_trailer; /* 792 4 */\n struct {\n unsigned char __offset_to_hash_key_data[3]; /* 792 3 */\n u8 rss_hash_key_data[40]; /* 795 40 */\n }; /* 792 43 */\n }; /* 792 44 */\n...\n /* size: 840, cachelines: 14, members: 47 */\n /* sum members: 801, holes: 8, sum holes: 35 */\n /* padding: 4 */\n /* paddings: 1, sum paddings: 4 */\n /* last cacheline: 8 bytes */\n};\n\nAs a result, the RSS key passed to the device is shifted by 1\nbyte: the last byte is cut off, and instead a (possibly\nuninitialized) byte is added at the beginning.\n\nAs a last note `struct virtio_net_rss_config_hdr *rss_hdr;` is also\nmoved to the end, since it seems those three members should stick\naround together. :)"}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nvirtio_net: Corrige un error de desalineaci\u00f3n en la estructura virtnet_info\n\nUsa el nuevo ayudante TRAILING_OVERLAP() para corregir un error de desalineaci\u00f3n junto con la siguiente advertencia:\n\ndrivers/net/virtio_net.c:429:46: advertencia: la estructura que contiene un miembro de array flexible no est\u00e1 al final de otra estructura [-Wflex-array-member-not-at-end]\n\nEste ayudante crea una uni\u00f3n entre un miembro de array flexible (FAM) y un conjunto de miembros que de otro modo lo seguir\u00edan (en este caso 'u8 rss_hash_key_data[VIRTIO_NET_RSS_MAX_KEY_SIZE];'). Esto superpone los miembros finales (rss_hash_key_data) sobre el FAM (hash_key_data) mientras mantiene el FAM y el inicio de los MIEMBROS alineados. El static_assert() asegura que esta alineaci\u00f3n se mantenga.\n\nN\u00f3tese que debido al relleno de cola en la estructura flexible 'struct virtio_net_rss_config_trailer', 'rss_trailer.hash_key_data' (en el desplazamiento 83 en la estructura virtnet_info) y 'rss_hash_key_data' (en el desplazamiento 84 en la estructura virtnet_info) est\u00e1n desalineados por un byte. Ver a continuaci\u00f3n:\n\n```\nstruct virtio_net_rss_config_trailer {\n __le16 max_tx_vq; /* 0 2 */\n __u8 hash_key_length; /* 2 1 */\n __u8 hash_key_data[]; /* 3 0 */\n\n /* size: 4, cachelines: 1, members: 3 */\n /* padding: 1 */\n /* last cacheline: 4 bytes */\n};\n```\n\n```\nstruct virtnet_info {\n...\n struct virtio_net_rss_config_trailer rss_trailer; /* 80 4 */\n\n /* XXX last struct has 1 byte of padding */\n\n u8 rss_hash_key_data[40]; /* 84 40 */\n...\n /* size: 832, cachelines: 13, members: 48 */\n /* sum members: 801, holes: 8, sum holes: 31 */\n /* paddings: 2, sum paddings: 5 */\n};\n```\n\nDespu\u00e9s de los cambios, esos miembros est\u00e1n correctamente alineados en el desplazamiento 795:\n\n```\nstruct virtnet_info {\n...\n union {\n struct virtio_net_rss_config_trailer rss_trailer; /* 792 4 */\n struct {\n unsigned char __offset_to_hash_key_data[3]; /* 792 3 */\n u8 rss_hash_key_data[40]; /* 795 40 */\n }; /* 792 43 */\n }; /* 792 44 */\n...\n /* size: 840, cachelines: 14, members: 47 */\n /* sum members: 801, holes: 8, sum holes: 35 */\n /* padding: 4 */\n /* paddings: 1, sum paddings: 4 */\n /* last cacheline: 8 bytes */\n};\n```\n\nComo resultado, la clave RSS pasada al dispositivo se desplaza 1 byte: el \u00faltimo byte se corta y, en su lugar, se a\u00f1ade un byte (posiblemente no inicializado) al principio.\n\nComo \u00faltima nota, 'struct virtio_net_rss_config_hdr *rss_hdr;' tambi\u00e9n se mueve al final, ya que parece que esos tres miembros deber\u00edan permanecer juntos. :)"}], "lastModified": "2026-03-17T21:13:32.820", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2446B98C-005E-4681-A566-03D3F408B450", "versionEndExcluding": "6.18.7", "versionStartIncluding": "6.15"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}