CVE-2026-23390

{"id": "CVE-2026-23390", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2026-03-25T11:16:39.567", "references": [{"url": "https://git.kernel.org/stable/c/02d209bb018a40dee9eac89e91860253dee9605b", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/daafcc0ef0b358d9d622b6e3b7c43767aa3814ee", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f2584f791a10343bdc995ff6ff402db45b95de69", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/dma: Cap dma_map_sg tracepoint arrays to prevent buffer overflow\n\nThe dma_map_sg tracepoint can trigger a perf buffer overflow when\ntracing large scatter-gather lists. With devices like virtio-gpu\ncreating large DRM buffers, nents can exceed 1000 entries, resulting\nin:\n\n phys_addrs: 1000 * 8 bytes = 8,000 bytes\n dma_addrs: 1000 * 8 bytes = 8,000 bytes\n lengths: 1000 * 4 bytes = 4,000 bytes\n Total: ~20,000 bytes\n\nThis exceeds PERF_MAX_TRACE_SIZE (8192 bytes), causing:\n\n WARNING: CPU: 0 PID: 5497 at kernel/trace/trace_event_perf.c:405\n perf buffer not large enough, wanted 24620, have 8192\n\nCap all three dynamic arrays at 128 entries using min() in the array\nsize calculation. This ensures arrays are only as large as needed\n(up to the cap), avoiding unnecessary memory allocation for small\noperations while preventing overflow for large ones.\n\nThe tracepoint now records the full nents/ents counts and a truncated\nflag so users can see when data has been capped.\n\nChanges in v2:\n- Use min(nents, DMA_TRACE_MAX_ENTRIES) for dynamic array sizing\n instead of fixed DMA_TRACE_MAX_ENTRIES allocation (feedback from\n Steven Rostedt)\n- This allocates only what's needed up to the cap, avoiding waste\n for small operations\n\nReviwed-by: Sean Anderson <sean.anderson@linux.dev>"}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\ntracing/dma: Limitar los arrays del tracepoint dma_map_sg para prevenir el desbordamiento de b\u00fafer\n\nEl tracepoint dma_map_sg puede desencadenar un desbordamiento de b\u00fafer de perf al trazar listas grandes de scatter-gather. Con dispositivos como virtio-gpu creando b\u00faferes DRM grandes, nents puede exceder las 1000 entradas, resultando en:\n\n phys_addrs: 1000 * 8 bytes = 8.000 bytes\n dma_addrs: 1000 * 8 bytes = 8.000 bytes\n lengths: 1000 * 4 bytes = 4.000 bytes\n Total: ~20.000 bytes\n\nEsto excede PERF_MAX_TRACE_SIZE (8192 bytes), causando:\n\n ADVERTENCIA: CPU: 0 PID: 5497 en kernel/trace/trace_event_perf.c:405\n b\u00fafer de perf no lo suficientemente grande, se quer\u00edan 24620, se tienen 8192\n\nLimitar los tres arrays din\u00e1micos a 128 entradas usando min() en el c\u00e1lculo del tama\u00f1o del array. Esto asegura que los arrays sean solo tan grandes como sea necesario (hasta el l\u00edmite), evitando la asignaci\u00f3n de memoria innecesaria para operaciones peque\u00f1as mientras se previene el desbordamiento para las grandes.\n\nEl tracepoint ahora registra los conteos completos de nents/ents y un indicador de truncamiento para que los usuarios puedan ver cu\u00e1ndo los datos han sido limitados.\n\nCambios en v2:\n- Usar min(nents, DMA_TRACE_MAX_ENTRIES) para el dimensionamiento din\u00e1mico del array en lugar de la asignaci\u00f3n fija de DMA_TRACE_MAX_ENTRIES (comentarios de Steven Rostedt)\n- Esto asigna solo lo necesario hasta el l\u00edmite, evitando el desperdicio para operaciones peque\u00f1as\n\nRevisado por: Sean Anderson "}], "lastModified": "2026-04-24T18:32:24.277", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3D530012-C124-4425-AC28-91B8FACB2151", "versionEndExcluding": "6.12.74", "versionStartIncluding": "6.12.1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6BDEF9FB-423E-49F6-991B-9277CC3AF400", "versionEndExcluding": "6.18.13", "versionStartIncluding": "6.13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0E698080-7669-4132-8817-4C674EEBCE54"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F5DC0CA6-F0AF-4DDF-A882-3DADB9A886A7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EB5B7DFC-C36B-45D8-922C-877569FDDF43"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}