bpf: Fix stack-out-of-bounds write in devmap

Summary

CVE	CVE-2026-23359
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-03-25 11:16:34 UTC
Updated	2026-04-18 09:16:21 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: bpf: Fix stack-out-of-bounds write in devmap get_upper_ifindexes() iterates over all upper devices and writes their indices into an array without checking bounds. Also the callers assume that the max number of upper devices is MAX_NEST_DEV and allocate excluded_devices[1+MAX_NEST_DEV] on the stack, but that assumption is not correct and the number of upper devices could be larger than MAX_NEST_DEV (e.g., many macvlans), causing a stack-out-of-bounds write. Add a max parameter to get_upper_ifindexes() to avoid the issue. When there are too many upper devices, return -EOVERFLOW and abort the redirect. To reproduce, create more than MAX_NEST_DEV(8) macvlans on a device with an XDP program attached using BPF_F_BROADCAST \| BPF_F_EXCLUDE_INGRESS. Then send a packet to the device to trigger the XDP redirect path.

Risk And Classification

EPSS: 0.000320000 probability, percentile 0.090980000 (date 2026-04-18)

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected aeea1b86f9363f3feabb496534d886f082a89f21 88df604f0d16a692867582350ce3f2fcd22243f1 git	Not specified
CNA	Linux	Linux	affected aeea1b86f9363f3feabb496534d886f082a89f21 5000e40acc8d0c36ab709662e32120986ac22e7e git	Not specified
CNA	Linux	Linux	affected aeea1b86f9363f3feabb496534d886f082a89f21 8a95fb9df1105b1618872c2846a6c01e3ba20b45 git	Not specified
CNA	Linux	Linux	affected aeea1b86f9363f3feabb496534d886f082a89f21 d2c31d8e03d05edc16656e5ffe187f0d1da763d7 git	Not specified
CNA	Linux	Linux	affected aeea1b86f9363f3feabb496534d886f082a89f21 75d474702b2ba8b6bcb26eb3004dbc5e95ffd5d2 git	Not specified
CNA	Linux	Linux	affected aeea1b86f9363f3feabb496534d886f082a89f21 ca831567908fd3f73cf97d8a6c09a5054697a182 git	Not specified
CNA	Linux	Linux	affected aeea1b86f9363f3feabb496534d886f082a89f21 b7bf516c3ecd9a2aae2dc2635178ab87b734fef1 git	Not specified
CNA	Linux	Linux	affected 5.15	Not specified
CNA	Linux	Linux	unaffected 5.15 semver	Not specified
CNA	Linux	Linux	unaffected 5.15.203 5.15.* semver	Not specified
CNA	Linux	Linux	unaffected 6.1.167 6.1.* semver	Not specified
CNA	Linux	Linux	unaffected 6.6.130 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.12.77 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.18.17 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 6.19.7 6.19.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0 * original_commit_for_fix	Not specified

References

Reference	Source	Link	Tags
git.kernel.org/stable/c/b7bf516c3ecd9a2aae2dc2635178ab87b734fef1	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/88df604f0d16a692867582350ce3f2fcd22243f1	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/d2c31d8e03d05edc16656e5ffe187f0d1da763d7	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/8a95fb9df1105b1618872c2846a6c01e3ba20b45	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/ca831567908fd3f73cf97d8a6c09a5054697a182	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/5000e40acc8d0c36ab709662e32120986ac22e7e	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/75d474702b2ba8b6bcb26eb3004dbc5e95ffd5d2	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.