gve: fix incorrect buffer cleanup in gve_tx_clean_pending_packets for QPL

CVE	CVE-2026-23386
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-03-25 11:16:38 UTC
Updated	2026-04-24 18:44:53 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: gve: fix incorrect buffer cleanup in gve_tx_clean_pending_packets for QPL In DQ-QPL mode, gve_tx_clean_pending_packets() incorrectly uses the RDA buffer cleanup path. It iterates num_bufs times and attempts to unmap entries in the dma array. This leads to two issues: 1. The dma array shares storage with tx_qpl_buf_ids (union). Interpreting buffer IDs as DMA addresses results in attempting to unmap incorrect memory locations. 2. num_bufs in QPL mode (counting 2K chunks) can significantly exceed the size of the dma array, causing out-of-bounds access warnings (trace below is how we noticed this issue). UBSAN: array-index-out-of-bounds in drivers/net/ethernet/drivers/net/ethernet/google/gve/gve_tx_dqo.c:178:5 index 18 is out of range for type 'dma_addr_t[18]' (aka 'unsigned long long[18]') Workqueue: gve gve_service_task [gve] Call Trace: <TASK> dump_stack_lvl+0x33/0xa0 __ubsan_handle_out_of_bounds+0xdc/0x110 gve_tx_stop_ring_dqo+0x182/0x200 [gve] gve_close+0x1be/0x450 [gve] gve_reset+0x99/0x120 [gve] gve_service_task+0x61/0x100 [gve] process_scheduled_works+0x1e9/0x380 Fix this by properly checking for QPL mode and delegating to gve_free_tx_qpl_bufs() to reclaim the buffers.

Primary CVSS: v3.1 5.5 MEDIUM from [email protected]

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Problem Types: NVD-CWE-noinfo

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Linux	Linux Kernel	All	All	All	All

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected a6fb8d5a8b6925f1e635818d3dd2d89531d4a058 71511dae56a75ce161aa746741e5c498feaea393 git	Not specified
CNA	Linux	Linux	affected a6fb8d5a8b6925f1e635818d3dd2d89531d4a058 c171f90f58974c784db25e0606051541cb71b7f0 git	Not specified
CNA	Linux	Linux	affected a6fb8d5a8b6925f1e635818d3dd2d89531d4a058 07e0c80e17ef781799e7cd5c41a7bf44f1bf6a5f git	Not specified
CNA	Linux	Linux	affected a6fb8d5a8b6925f1e635818d3dd2d89531d4a058 3744ebd8ffaa542ae8110fb449adcac0202f4cc8 git	Not specified
CNA	Linux	Linux	affected a6fb8d5a8b6925f1e635818d3dd2d89531d4a058 fb868db5f4bccd7a78219313ab2917429f715cea git	Not specified
CNA	Linux	Linux	affected 6.6	Not specified
CNA	Linux	Linux	unaffected 6.6 semver	Not specified
CNA	Linux	Linux	unaffected 6.6.130 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.12.78 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.18.17 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 6.19.7 6.19.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0 * original_commit_for_fix	Not specified

Reference	Source	Link	Tags
git.kernel.org/stable/c/07e0c80e17ef781799e7cd5c41a7bf44f1bf6a5f	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/71511dae56a75ce161aa746741e5c498feaea393	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/3744ebd8ffaa542ae8110fb449adcac0202f4cc8	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/c171f90f58974c784db25e0606051541cb71b7f0	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/fb868db5f4bccd7a78219313ab2917429f715cea	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.