VYPR
← All advisories
Medium severity5.5NVD Advisory· Published Mar 25, 2026· Updated Apr 28, 2026

CVE-2026-23377

CVE-2026-23377

Description

In the Linux kernel, the following vulnerability has been resolved:

ice: change XDP RxQ frag_size from DMA write length to xdp.frame_sz

The only user of frag_size field in XDP RxQ info is bpf_xdp_frags_increase_tail(). It clearly expects whole buff size instead of DMA write size. Different assumptions in ice driver configuration lead to negative tailroom.

This allows to trigger kernel panic, when using XDP_ADJUST_TAIL_GROW_MULTI_BUFF xskxceiver test and changing packet size to 6912 and the requested offset to a huge value, e.g. XSK_UMEM__MAX_FRAME_SIZE * 100.

Due to other quirks of the ZC configuration in ice, panic is not observed in ZC mode, but tailroom growing still fails when it should not.

Use fill queue buffer truesize instead of DMA write size in XDP RxQ info. Fix ZC mode too by using the new helper.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel's ice driver, incorrect XDP RxQ frag_size causes negative tailroom, leading to a kernel panic when using XDP_ADJUST_TAIL_GROW_MULTI_BUFF with large packet sizes.

Vulnerability

In the Linux kernel's ice driver, the frag_size field in XDP RxQ info was incorrectly set to the DMA write length instead of the full buffer size (xdp.frame_sz). The only user of this field is bpf_xdp_frags_increase_tail(), which expects the whole buffer size. This mismatch leads to negative tailroom calculations, which can trigger a kernel panic [1].

Exploitation

The vulnerability can be triggered by using the XDP_ADJUST_TAIL_GROW_MULTI_BUFF xskxceiver test with a packet size of 6912 and a requested offset set to a huge value, such as XSK_UMEM__MAX_FRAME_SIZE * 100. The attack requires the ability to send such crafted packets to a system using the ice driver with XDP zero-copy (ZC) enabled. In ZC mode, the panic is not observed due to other quirks, but tailroom growth still fails when it should not [1].

Impact

A successful exploitation allows an attacker to cause a kernel panic, resulting in a denial of service (DoS). The CVSS v3 score is 5.5 (Medium), indicating a moderate severity with high availability impact but low attack complexity and no privileges required [1].

Mitigation

The fix involves using the fill queue buffer truesize instead of the DMA write size in XDP RxQ info, and correcting the ZC mode using a new helper. The patch has been applied to the Linux kernel stable tree [1][2]. Users should update their kernel to include the commit b0f05100e8795aadd1c0606bae9caefbda070d63 or later.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

4
  • Linux/Kernel4 versions
    cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 3 more
    • cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=6.3,<6.19.7
    • cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
    • (no CPE)

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.