{ "threat_severity" : "Moderate", "public_date" : "2026-03-25T00:00:00Z", "bugzilla" : { "description" : "kernel: gve: fix incorrect buffer cleanup in gve_tx_clean_pending_packets for QPL", "id" : "2451273", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2451273" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "draft" }, "cwe" : "CWE-1285", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ngve: fix incorrect buffer cleanup in gve_tx_clean_pending_packets for QPL\nIn DQ-QPL mode, gve_tx_clean_pending_packets() incorrectly uses the RDA\nbuffer cleanup path. It iterates num_bufs times and attempts to unmap\nentries in the dma array.\nThis leads to two issues:\n1. The dma array shares storage with tx_qpl_buf_ids (union).\nInterpreting buffer IDs as DMA addresses results in attempting to\nunmap incorrect memory locations.\n2. num_bufs in QPL mode (counting 2K chunks) can significantly exceed\nthe size of the dma array, causing out-of-bounds access warnings\n(trace below is how we noticed this issue).\nUBSAN: array-index-out-of-bounds in\ndrivers/net/ethernet/drivers/net/ethernet/google/gve/gve_tx_dqo.c:178:5 index 18 is out of\nrange for type 'dma_addr_t[18]' (aka 'unsigned long long[18]')\nWorkqueue: gve gve_service_task [gve]\nCall Trace:\n\ndump_stack_lvl+0x33/0xa0\n__ubsan_handle_out_of_bounds+0xdc/0x110\ngve_tx_stop_ring_dqo+0x182/0x200 [gve]\ngve_close+0x1be/0x450 [gve]\ngve_reset+0x99/0x120 [gve]\ngve_service_task+0x61/0x100 [gve]\nprocess_scheduled_works+0x1e9/0x380\nFix this by properly checking for QPL mode and delegating to\ngve_free_tx_qpl_bufs() to reclaim the buffers.", "A flaw was found in the Linux kernel, specifically within the gve network driver. When the driver operates in DQ-QPL (Data Queue - Queue Pair List) mode, the gve_tx_clean_pending_packets() function incorrectly processes buffer cleanup. This error can cause the system to attempt to unmap memory at incorrect locations and access memory outside of allocated bounds, potentially leading to system instability or a denial of service." ], "statement" : "This flaw affects Google Cloud Platform virtual machines using the gve network driver in DQ-QPL mode. The buffer cleanup code incorrectly interprets QPL buffer IDs as DMA addresses and can access beyond array bounds. This triggers UBSAN warnings and potential memory corruption during driver reset or close operations. Specific to GCP environments with gve driver.", "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-23386\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23386\nhttps://lore.kernel.org/linux-cve-announce/2026032544-CVE-2026-23386-acc4@gregkh/T" ], "name" : "CVE-2026-23386", "csaw" : false }