CVE-2026-23172
Published: 14 February 2026
Summary
CVE-2026-23172 is a high-severity Missing Release of Memory after Effective Lifetime (CWE-401) vulnerability in Linux Linux Kernel. Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely remediation through kernel stable patches adds bounds checking in t7xx_dpmaif_set_frag_to_skb to directly prevent the skb frags array overflow from excessive fragments.
Requires bounds validation of packet fragment counts received from potentially malicious or buggy modem firmware to avoid exceeding MAX_SKB_FRAGS and causing buffer overflow.
Implements kernel memory protections to mitigate unauthorized access or modification from skb_shinfo frags array corruption due to unvalidated fragment additions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel memory corruption in WWAN driver enables unprivileged exploitation for privilege escalation via buffer overflow.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: net: wwan: t7xx: fix potential skb->frags overflow in RX path When receiving data in the DPMAIF RX path, the t7xx_dpmaif_set_frag_to_skb() function adds page fragments to an skb without checking if…
more
the number of fragments has exceeded MAX_SKB_FRAGS. This could lead to a buffer overflow in skb_shinfo(skb)->frags[] array, corrupting adjacent memory and potentially causing kernel crashes or other undefined behavior. This issue was identified through static code analysis by comparing with a similar vulnerability fixed in the mt76 driver commit b102f0c522cf ("mt76: fix array overflow on receiving too many fragments for a packet"). The vulnerability could be triggered if the modem firmware sends packets with excessive fragments. While under normal protocol conditions (MTU 3080 bytes, BAT buffer 3584 bytes), a single packet should not require additional fragments, the kernel should not blindly trust firmware behavior. Malicious, buggy, or compromised firmware could potentially craft packets with more fragments than the kernel expects. Fix this by adding a bounds check before calling skb_add_rx_frag() to ensure nr_frags does not exceed MAX_SKB_FRAGS. The check must be performed before unmapping to avoid a page leak and double DMA unmap during device teardown.
Deeper analysisAI
CVE-2026-23172 affects the Linux kernel's t7xx WWAN driver in the DPMAIF RX path. The function t7xx_dpmaif_set_frag_to_skb() adds page fragments to an skb without verifying if the number exceeds MAX_SKB_FRAGS, potentially causing a buffer overflow in the skb_shinfo(skb)->frags[] array. This corrupts adjacent memory, which can result in kernel crashes or other undefined behavior.
The vulnerability is triggered when the modem firmware sends packets with excessive fragments, a scenario possible with malicious, buggy, or compromised firmware despite normal protocol conditions (MTU 3080 bytes, BAT buffer 3584 bytes) not requiring them. The CVSS 3.1 score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates local attackers require no privileges or user interaction to exploit it, potentially achieving high impacts on confidentiality, integrity, and availability through memory corruption.
Kernel stable patches referenced in the CVE, such as commits 2a0522f564acd34442652ea083091c329fa7c5d5 and others, mitigate the issue by adding a bounds check before calling skb_add_rx_frag() to ensure nr_frags does not exceed MAX_SKB_FRAGS. This check occurs before unmapping to prevent page leaks and double DMA unmaps during device teardown.
The issue was identified via static code analysis, drawing comparison to a similar array overflow fix in the mt76 driver (commit b102f0c522cf). No real-world exploitation is mentioned.
Details
- CWE(s)