VYPR
← All advisories
High severity8.2NVD Advisory· Published Apr 3, 2026· Updated Apr 27, 2026

CVE-2026-23459

CVE-2026-23459

Description

In the Linux kernel, the following vulnerability has been resolved:

ip_tunnel: adapt iptunnel_xmit_stats() to NETDEV_PCPU_STAT_DSTATS

Blamed commits forgot that vxlan/geneve use udp_tunnel[6]_xmit_skb() which call iptunnel_xmit_stats().

iptunnel_xmit_stats() was assuming tunnels were only using NETDEV_PCPU_STAT_TSTATS.

@syncp offset in pcpu_sw_netstats and pcpu_dstats is different.

32bit kernels would either have corruptions or freezes if the syncp sequence was overwritten.

This patch also moves pcpu_stat_type closer to dev->{t,d}stats to avoid a potential cache line miss since iptunnel_xmit_stats() needs to read it.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel, iptunnel_xmit_stats() incorrectly assumed NETDEV_PCPU_STAT_TSTATS, causing corruption or freezes with vxlan/geneve tunnels on 32-bit systems; the patch corrects the syncp offset and moves pcpu_stat_type.

Root

Cause CVE-2026-23459 describes a bug in the Linux kernel's iptunnel_xmit_stats() function, which was designed to handle only NETDEV_PCPU_STAT_TSTATS statistics. However, this function is also called by udp_tunnel_xmit_skb() used by vxlan and geneve tunnels, which use the NETDEV_PCPU_STAT_DSTATS type. The offset of the syncp field differs between pcpu_sw_netstats and pcpu_dstats, leading to memory corruption on 32-bit kernels when the incorrect offset is overwritten [1][2].

Attack

Vector No authentication or special privileges are required to trigger this vulnerability. Any network packet sent through a vxlan or geneve tunnel will invoke iptunnel_xmit_stats() and corrupt kernel memory on 32-bit systems. This makes the bug exploitable remotely via crafted network traffic.

Impact

A successful exploit results in kernel memory corruption, which can cause system freezes or crashes (denial of service). The patch also improves performance by moving the pcpu_stat_type field closer to dev->{t,d}stats to avoid a cache line miss.

Mitigation

The fix is included in the stable kernel commits [1] and [2]. Administrators should update their kernels to the latest patched versions. No workarounds other than applying the update are available.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.