CVE-2026-23386

CVE-2026-23386 is a medium-severity vulnerability in the Linux kernel's Google Virtual Ethernet (gve) driver, affecting the buffer cleanup logic in gve_tx_clean_pending_packets(). In DQ-QPL mode, the function incorrectly follows the RDA (regular descriptor array) cleanup path, iterating over num_bufs and attempting to unmap entries from the DMA array. However, in QPL mode the DMA array shares storage with tx_qpl_buf_ids via a union, so interpreting buffer IDs as DMA addresses leads to unmapping incorrect memory locations [1]. Additionally, num_bufs in QPL mode (counting 2K chunks) can exceed the DMA array size, triggering out-of-bounds access warnings as observed in UBSAN traces [2].

The vulnerability can be triggered during normal network operation, specifically when the gve driver resets or closes the network interface. The cleanup function is called from gve_tx_stop_ring_dqo() during device teardown, which is invoked by gve_close() and gve_reset() [3]. An attacker with local access or the ability to influence network interface state could potentially exploit the out-of-bounds access to cause a kernel crash (denial of service) or may lead to memory corruption. The CVSS v3 score of 5.5 reflects the need for local access and high availability impact.

The impact includes kernel panic or memory corruption due to the out-of-bounds array access and incorrect DMA unmapping. The fix, which properly checks for QPL mode and delegates to gve_free_tx_qpl_bufs() instead, has been applied to stable kernel branches [4]. Users should update to the latest kernel to mitigate this issue.