{ "threat_severity" : "Moderate", "public_date" : "2026-03-20T00:00:00Z", "bugzilla" : { "description" : "kernel: net: add xmit recursion limit to tunnel xmit functions", "id" : "2449561", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2449561" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "draft" }, "cwe" : "CWE-835", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnet: add xmit recursion limit to tunnel xmit functions\nTunnel xmit functions (iptunnel_xmit, ip6tunnel_xmit) lack their own\nrecursion limit. When a bond device in broadcast mode has GRE tap\ninterfaces as slaves, and those GRE tunnels route back through the\nbond, multicast/broadcast traffic triggers infinite recursion between\nbond_xmit_broadcast() and ip_tunnel_xmit()/ip6_tnl_xmit(), causing\nkernel stack overflow.\nThe existing XMIT_RECURSION_LIMIT (8) in the no-qdisc path is not\nsufficient because tunnel recursion involves route lookups and full IP\noutput, consuming much more stack per level. Use a lower limit of 4\n(IP_TUNNEL_RECURSION_LIMIT) to prevent overflow.\nAdd recursion detection using dev_xmit_recursion helpers directly in\niptunnel_xmit() and ip6tunnel_xmit() to cover all IPv4/IPv6 tunnel\npaths including UDP encapsulated tunnels (VXLAN, Geneve, etc.).\nMove dev_xmit_recursion helpers from net/core/dev.h to public header\ninclude/linux/netdevice.h so they can be used by tunnel code.\nBUG: KASAN: stack-out-of-bounds in blake2s.constprop.0+0xe7/0x160\nWrite of size 32 at addr ffff88810033fed0 by task kworker/0:1/11\nWorkqueue: mld mld_ifc_work\nCall Trace:\n\n__build_flow_key.constprop.0 (net/ipv4/route.c:515)\nip_rt_update_pmtu (net/ipv4/route.c:1073)\niptunnel_xmit (net/ipv4/ip_tunnel_core.c:84)\nip_tunnel_xmit (net/ipv4/ip_tunnel.c:847)\ngre_tap_xmit (net/ipv4/ip_gre.c:779)\ndev_hard_start_xmit (net/core/dev.c:3887)\nsch_direct_xmit (net/sched/sch_generic.c:347)\n__dev_queue_xmit (net/core/dev.c:4802)\nbond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312)\nbond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279)\nbond_start_xmit (drivers/net/bonding/bond_main.c:5530)\ndev_hard_start_xmit (net/core/dev.c:3887)\n__dev_queue_xmit (net/core/dev.c:4841)\nip_finish_output2 (net/ipv4/ip_output.c:237)\nip_output (net/ipv4/ip_output.c:438)\niptunnel_xmit (net/ipv4/ip_tunnel_core.c:86)\ngre_tap_xmit (net/ipv4/ip_gre.c:779)\ndev_hard_start_xmit (net/core/dev.c:3887)\nsch_direct_xmit (net/sched/sch_generic.c:347)\n__dev_queue_xmit (net/core/dev.c:4802)\nbond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312)\nbond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279)\nbond_start_xmit (drivers/net/bonding/bond_main.c:5530)\ndev_hard_start_xmit (net/core/dev.c:3887)\n__dev_queue_xmit (net/core/dev.c:4841)\nip_finish_output2 (net/ipv4/ip_output.c:237)\nip_output (net/ipv4/ip_output.c:438)\niptunnel_xmit (net/ipv4/ip_tunnel_core.c:86)\nip_tunnel_xmit (net/ipv4/ip_tunnel.c:847)\ngre_tap_xmit (net/ipv4/ip_gre.c:779)\ndev_hard_start_xmit (net/core/dev.c:3887)\nsch_direct_xmit (net/sched/sch_generic.c:347)\n__dev_queue_xmit (net/core/dev.c:4802)\nbond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312)\nbond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279)\nbond_start_xmit (drivers/net/bonding/bond_main.c:5530)\ndev_hard_start_xmit (net/core/dev.c:3887)\n__dev_queue_xmit (net/core/dev.c:4841)\nmld_sendpack\nmld_ifc_work\nprocess_one_work\nworker_thread\n", "A flaw was found in the Linux kernel. When a bond device in broadcast mode has Generic Routing Encapsulation (GRE) tap interfaces configured as slaves, and these GRE tunnels are routed back through the bond, multicast or broadcast network traffic can trigger an infinite recursion. This recursion occurs within the kernel's tunnel transmit functions, leading to a kernel stack overflow. A local attacker could potentially exploit this to cause a Denial of Service (DoS) on the system." ], "statement" : "This vulnerability requires a specific network configuration: a bonding device in broadcast mode with GRE tap tunnel slaves where the tunnels route back through the bond. When multicast or broadcast traffic is sent, the lack of recursion limits in tunnel transmit functions causes infinite recursion between bond_xmit_broadcast() and tunnel xmit functions, exhausting the kernel stack. This affects GRE, VXLAN, Geneve, and similar tunnels.", "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-23276\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23276\nhttps://lore.kernel.org/linux-cve-announce/2026032035-CVE-2026-23276-7fd3@gregkh/T" ], "name" : "CVE-2026-23276", "mitigation" : { "value" : "Avoid configuring bond devices in broadcast mode with tunnel interfaces (GRE, VXLAN, Geneve) as slaves when those tunnels route back through the bond. Alternatively, use a different bonding mode such as active-backup or 802.3ad.", "lang" : "en:us" }, "csaw" : false }