Linux Kernel BPF devmap Stack OOB Write via get_upper_ifindexes
CVE-2026-23359 Published on March 25, 2026
bpf: Fix stack-out-of-bounds write in devmap
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix stack-out-of-bounds write in devmap
get_upper_ifindexes() iterates over all upper devices and writes their
indices into an array without checking bounds.
Also the callers assume that the max number of upper devices is
MAX_NEST_DEV and allocate excluded_devices[1+MAX_NEST_DEV] on the stack,
but that assumption is not correct and the number of upper devices could
be larger than MAX_NEST_DEV (e.g., many macvlans), causing a
stack-out-of-bounds write.
Add a max parameter to get_upper_ifindexes() to avoid the issue.
When there are too many upper devices, return -EOVERFLOW and abort the
redirect.
To reproduce, create more than MAX_NEST_DEV(8) macvlans on a device with
an XDP program attached using BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS.
Then send a packet to the device to trigger the XDP redirect path.
Products Associated with CVE-2026-23359
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version aeea1b86f9363f3feabb496534d886f082a89f21 and below 5000e40acc8d0c36ab709662e32120986ac22e7e is affected.
- Version aeea1b86f9363f3feabb496534d886f082a89f21 and below 8a95fb9df1105b1618872c2846a6c01e3ba20b45 is affected.
- Version aeea1b86f9363f3feabb496534d886f082a89f21 and below d2c31d8e03d05edc16656e5ffe187f0d1da763d7 is affected.
- Version aeea1b86f9363f3feabb496534d886f082a89f21 and below 75d474702b2ba8b6bcb26eb3004dbc5e95ffd5d2 is affected.
- Version aeea1b86f9363f3feabb496534d886f082a89f21 and below ca831567908fd3f73cf97d8a6c09a5054697a182 is affected.
- Version aeea1b86f9363f3feabb496534d886f082a89f21 and below b7bf516c3ecd9a2aae2dc2635178ab87b734fef1 is affected.
- Version 5.15 is affected.
- Before 5.15 is unaffected.
- Version 6.1.167, <= 6.1.* is unaffected.
- Version 6.6.130, <= 6.6.* is unaffected.
- Version 6.12.77, <= 6.12.* is unaffected.
- Version 6.18.17, <= 6.18.* is unaffected.
- Version 6.19.7, <= 6.19.* is unaffected.
- Version 7.0-rc2, <= * is unaffected.