CVE-2026-23276

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-23276
In the Linux kernel, the following vulnerability has been resolved: net: add xmit recursion limit to tunnel xmit functions Tunnel xmit functions (iptunnel_xmit, ip6tunnel_xmit) lack their own recursion limit. When a bond device in broadcast mode has GRE tap interfaces as slaves, and those GRE tunnels route back through the bond, multicast/broadcast traffic triggers infinite recursion between bond_xmit_broadcast() and ip_tunnel_xmit()/ip6_tnl_xmit(), causing kernel stack overflow. The existing XMIT_RECURSION_LIMIT (8) in the no-qdisc path is not sufficient because tunnel recursion involves route lookups and full IP output, consuming much more stack per level. Use a lower limit of 4 (IP_TUNNEL_RECURSION_LIMIT) to prevent overflow. Add recursion detection using dev_xmit_recursion helpers directly in iptunnel_xmit() and ip6tunnel_xmit() to cover all IPv4/IPv6 tunnel paths including UDP encapsulated tunnels (VXLAN, Geneve, etc.). Move dev_xmit_recursion helpers from net/core/dev.h to public header include/linux/netdevice.h so they can be used by tunnel code. BUG: KASAN: stack-out-of-bounds in blake2s.constprop.0+0xe7/0x160 Write of size 32 at addr ffff88810033fed0 by task kworker/0:1/11 Workqueue: mld mld_ifc_work Call Trace: <TASK> __build_flow_key.constprop.0 (net/ipv4/route.c:515) ip_rt_update_pmtu (net/ipv4/route.c:1073) iptunnel_xmit (net/ipv4/ip_tunnel_core.c:84) ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847) gre_tap_xmit (net/ipv4/ip_gre.c:779) dev_hard_start_xmit (net/core/dev.c:3887) sch_direct_xmit (net/sched/sch_generic.c:347) __dev_queue_xmit (net/core/dev.c:4802) bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312) bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279) bond_start_xmit (drivers/net/bonding/bond_main.c:5530) dev_hard_start_xmit (net/core/dev.c:3887) __dev_queue_xmit (net/core/dev.c:4841) ip_finish_output2 (net/ipv4/ip_output.c:237) ip_output (net/ipv4/ip_output.c:438) iptunnel_xmit (net/ipv4/ip_tunnel_core.c:86) gre_tap_xmit (net/ipv4/ip_gre.c:779) dev_hard_start_xmit (net/core/dev.c:3887) sch_direct_xmit (net/sched/sch_generic.c:347) __dev_queue_xmit (net/core/dev.c:4802) bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312) bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279) bond_start_xmit (drivers/net/bonding/bond_main.c:5530) dev_hard_start_xmit (net/core/dev.c:3887) __dev_queue_xmit (net/core/dev.c:4841) ip_finish_output2 (net/ipv4/ip_output.c:237) ip_output (net/ipv4/ip_output.c:438) iptunnel_xmit (net/ipv4/ip_tunnel_core.c:86) ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847) gre_tap_xmit (net/ipv4/ip_gre.c:779) dev_hard_start_xmit (net/core/dev.c:3887) sch_direct_xmit (net/sched/sch_generic.c:347) __dev_queue_xmit (net/core/dev.c:4802) bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312) bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279) bond_start_xmit (drivers/net/bonding/bond_main.c:5530) dev_hard_start_xmit (net/core/dev.c:3887) __dev_queue_xmit (net/core/dev.c:4841) mld_sendpack mld_ifc_work process_one_work worker_thread </TASK>

5.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://git.kernel.org/stable/c/6f1a9140ecda3baba3d945b9a6155af4268aafc4 Patch
https://git.kernel.org/stable/c/834c4f645726a25fd71ea50cdfb5c135f8f95d85 Patch
https://git.kernel.org/stable/c/8a57deeb256069f262957d8012418559ff66c385 Patch
https://git.kernel.org/stable/c/b56b8d19bd05e2a8338385c770bc2b60590bc81e Patch
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
History

22 May 2026, 18:02

Type Values Removed Values Added
References () https://git.kernel.org/stable/c/6f1a9140ecda3baba3d945b9a6155af4268aafc4 - () https://git.kernel.org/stable/c/6f1a9140ecda3baba3d945b9a6155af4268aafc4 - Patch
References () https://git.kernel.org/stable/c/834c4f645726a25fd71ea50cdfb5c135f8f95d85 - () https://git.kernel.org/stable/c/834c4f645726a25fd71ea50cdfb5c135f8f95d85 - Patch
References () https://git.kernel.org/stable/c/8a57deeb256069f262957d8012418559ff66c385 - () https://git.kernel.org/stable/c/8a57deeb256069f262957d8012418559ff66c385 - Patch
References () https://git.kernel.org/stable/c/b56b8d19bd05e2a8338385c770bc2b60590bc81e - () https://git.kernel.org/stable/c/b56b8d19bd05e2a8338385c770bc2b60590bc81e - Patch
First Time Linux
Linux linux Kernel
CPE cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 5.5
CWE CWE-674

25 Mar 2026, 11:16

Type Values Removed Values Added
Summary
  • (es) En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta: net: añadir límite de recursión de xmit a las funciones xmit de túnel Las funciones xmit de túnel (iptunnel_xmit, ip6tunnel_xmit) carecen de su propio límite de recursión. Cuando un dispositivo bond en modo broadcast tiene interfaces GRE tap como esclavos, y esos túneles GRE enrutan de vuelta a través del bond, el tráfico multicast/broadcast desencadena una recursión infinita entre bond_xmit_broadcast() y ip_tunnel_xmit()/ip6_tnl_xmit(), causando un desbordamiento de pila del kernel. El XMIT_RECURSION_LIMIT (8) existente en la ruta sin qdisc no es suficiente porque la recursión del túnel implica búsquedas de ruta y salida IP completa, consumiendo mucha más pila por nivel. Use un límite inferior de 4 (IP_TUNNEL_RECURSION_LIMIT) para prevenir el desbordamiento. Añada detección de recursión usando las funciones auxiliares dev_xmit_recursion directamente en iptunnel_xmit() y ip6tunnel_xmit() para cubrir todas las rutas de túnel IPv4/IPv6, incluyendo los túneles encapsulados UDP (VXLAN, Geneve, etc.). Mueva las funciones auxiliares dev_xmit_recursion de net/core/dev.h al encabezado público include/linux/netdevice.h para que puedan ser usadas por el código del túnel. BUG: KASAN: pila-fuera-de-límites en blake2s.constprop.0+0xe7/0x160 Escritura de tamaño 32 en la dirección ffff88810033fed0 por la tarea kworker/0:1/11 Cola de trabajo: mld mld_ifc_work Rastro de Llamada: __build_flow_key.constprop.0 (net/ipv4/route.c:515) ip_rt_update_pmtu (net/ipv4/route.c:1073) iptunnel_xmit (net/ipv4/ip_tunnel_core.c:84) ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847) gre_tap_xmit (net/ipv4/ip_gre.c:779) dev_hard_start_xmit (net/core/dev.c:3887) sch_direct_xmit (net/sched/sch_generic.c:347) __dev_queue_xmit (net/core/dev.c:4802) bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312) bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279) bond_start_xmit (drivers/net/bonding/bond_main.c:5530) dev_hard_start_xmit (net/core/dev.c:3887) __dev_queue_xmit (net/core/dev.c:4841) ip_finish_output2 (net/ipv4/ip_output.c:237) ip_output (net/ipv4/ip_output.c:438) iptunnel_xmit (net/ipv4/ip_tunnel_core.c:86) gre_tap_xmit (net/ipv4/ip_gre.c:779) dev_hard_start_xmit (net/core/dev.c:3887) sch_direct_xmit (net/sched/sch_generic.c:347) __dev_queue_xmit (net/core/dev.c:4802) bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312) bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279) bond_start_xmit (drivers/net/bonding/bond_main.c:5530) dev_hard_start_xmit (net/core/dev.c:3887) __dev_queue_xmit (net/core/dev.c:4841) ip_finish_output2 (net/ipv4/ip_output.c:237) ip_output (net/ipv4/ip_output.c:438) iptunnel_xmit (net/ipv4/ip_tunnel_core.c:86) ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847) gre_tap_xmit (net/ipv4/ip_gre.c:779) dev_hard_start_xmit (net/core/dev.c:3887) sch_direct_xmit (net/sched/sch_generic.c:347) __dev_queue_xmit (net/core/dev.c:4802) bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312) bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279) bond_start_xmit (drivers/net/bonding/bond_main.c:5530) dev_hard_start_xmit (net/core/dev.c:3887) __dev_queue_xmit (net/core/dev.c:4841) mld_sendpack mld_ifc_work process_one_work worker_thread
References
  • () https://git.kernel.org/stable/c/834c4f645726a25fd71ea50cdfb5c135f8f95d85 -

20 Mar 2026, 09:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-20 09:16

Updated : 2026-05-22 18:02

NVD link : CVE-2026-23276

Mitre link : CVE-2026-23276

CVE.ORG link : CVE-2026-23276

JSON object : View

Products Affected

linux

  • linux_kernel
CWE
CWE-674

Uncontrolled Recursion