ICE driver XDP RxQ frag_size bug triggers kernel panic
CVE-2026-23377 Published on March 25, 2026
ice: change XDP RxQ frag_size from DMA write length to xdp.frame_sz
In the Linux kernel, the following vulnerability has been resolved:
ice: change XDP RxQ frag_size from DMA write length to xdp.frame_sz
The only user of frag_size field in XDP RxQ info is
bpf_xdp_frags_increase_tail(). It clearly expects whole buff size instead
of DMA write size. Different assumptions in ice driver configuration lead
to negative tailroom.
This allows to trigger kernel panic, when using
XDP_ADJUST_TAIL_GROW_MULTI_BUFF xskxceiver test and changing packet size to
6912 and the requested offset to a huge value, e.g.
XSK_UMEM__MAX_FRAME_SIZE * 100.
Due to other quirks of the ZC configuration in ice, panic is not observed
in ZC mode, but tailroom growing still fails when it should not.
Use fill queue buffer truesize instead of DMA write size in XDP RxQ info.
Fix ZC mode too by using the new helper.
Products Associated with CVE-2026-23377
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version 2fba7dc5157b6f85dbf1b8e26e63a724db1f3d79 and below b0f05100e8795aadd1c0606bae9caefbda070d63 is affected.
- Version 2fba7dc5157b6f85dbf1b8e26e63a724db1f3d79 and below e142dc4ef0f451b7ef99d09aaa84e9389af629d7 is affected.
- Version 6.3 is affected.
- Before 6.3 is unaffected.
- Version 6.19.7, <= 6.19.* is unaffected.
- Version 7.0-rc3, <= * is unaffected.