Linux Kernel CVE-2026-23459: ip_tunnel Stat Rollover Corruption in 32bit
CVE-2026-23459 Published on April 3, 2026
ip_tunnel: adapt iptunnel_xmit_stats() to NETDEV_PCPU_STAT_DSTATS
In the Linux kernel, the following vulnerability has been resolved:
ip_tunnel: adapt iptunnel_xmit_stats() to NETDEV_PCPU_STAT_DSTATS
Blamed commits forgot that vxlan/geneve use udp_tunnel[6]_xmit_skb() which
call iptunnel_xmit_stats().
iptunnel_xmit_stats() was assuming tunnels were only using
NETDEV_PCPU_STAT_TSTATS.
@syncp offset in pcpu_sw_netstats and pcpu_dstats is different.
32bit kernels would either have corruptions or freezes if the syncp
sequence was overwritten.
This patch also moves pcpu_stat_type closer to dev->{t,d}stats to avoid
a potential cache line miss since iptunnel_xmit_stats() needs to read it.
Products Associated with CVE-2026-23459
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version be226352e8dc77d3313c096b2d8e7f69bf6980fc and below 0d087d00161f562d5047cc4009bb0c6a19daf9f1 is affected.
- Version be226352e8dc77d3313c096b2d8e7f69bf6980fc and below 8431c602f551549f082bbfa67f3003f2d8e3e132 is affected.
- Version 6.14 is affected.
- Before 6.14 is unaffected.
- Version 6.19.10, <= 6.19.* is unaffected.
- Version 7.0-rc5, <= * is unaffected.