{ "threat_severity" : "Moderate", "public_date" : "2026-03-25T00:00:00Z", "bugzilla" : { "description" : "kernel: ice: change XDP RxQ frag_size from DMA write length to xdp.frame_sz", "id" : "2451261", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2451261" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "draft" }, "cwe" : "CWE-131", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nice: change XDP RxQ frag_size from DMA write length to xdp.frame_sz\nThe only user of frag_size field in XDP RxQ info is\nbpf_xdp_frags_increase_tail(). It clearly expects whole buff size instead\nof DMA write size. Different assumptions in ice driver configuration lead\nto negative tailroom.\nThis allows to trigger kernel panic, when using\nXDP_ADJUST_TAIL_GROW_MULTI_BUFF xskxceiver test and changing packet size to\n6912 and the requested offset to a huge value, e.g.\nXSK_UMEM__MAX_FRAME_SIZE * 100.\nDue to other quirks of the ZC configuration in ice, panic is not observed\nin ZC mode, but tailroom growing still fails when it should not.\nUse fill queue buffer truesize instead of DMA write size in XDP RxQ info.\nFix ZC mode too by using the new helper.", "A flaw was found in the Linux kernel, specifically within the `ice` network driver and the eXpress Data Path (XDP) component. This vulnerability arises from an incorrect calculation of the `frag_size` in XDP receive queue information, which can lead to an invalid memory state known as \"negative tailroom.\" A local user can exploit this by manipulating packet sizes and offsets during XDP operations. Successful exploitation can trigger a kernel panic, resulting in a Denial of Service (DoS) for the affected system." ], "statement" : "This flaw affects systems with Intel ice network adapters using XDP (eXpress Data Path). The incorrect frag_size calculation (DMA write size vs. buffer truesize) causes bpf_xdp_frags_increase_tail() to compute negative tailroom, leading to memory corruption or kernel panic. Triggerable via XDP_ADJUST_TAIL with specific packet sizes. Requires XDP program loading privileges.", "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-23377\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23377\nhttps://lore.kernel.org/linux-cve-announce/2026032542-CVE-2026-23377-cb04@gregkh/T" ], "name" : "CVE-2026-23377", "mitigation" : { "value" : "To mitigate this issue, prevent the ice module from being loaded. See https://access.redhat.com/solutions/41278 for instructions.", "lang" : "en:us" }, "csaw" : false }