Cyber Resilience

CVE-2026-23359

High

Published: 25 March 2026

Published
25 March 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 4.9th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23359 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).

Deeper analysis

CVE-2026-23359 is a stack-out-of-bounds write vulnerability in the Linux kernel's BPF (Berkeley Packet Filter) devmap component. The issue arises in the get_upper_ifindexes() function, which iterates over all upper devices (such as macvlans) and writes their interface indices into a stack-allocated array without bounds checking. Callers of this function assume a maximum of MAX_NEST_DEV (8) upper devices and allocate excluded_devices[1+MAX_NEST_DEV] on the stack, but the actual number can exceed this limit, leading to a buffer overflow. The vulnerability is classified under CWE-787 (Out-of-bounds Write) with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges can exploit this vulnerability by creating more than 8 macvlans on a network device that has an XDP (eXpress Data Path) program attached using the BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS flags, then sending a packet to the device to trigger the XDP redirect path. This causes the stack-out-of-bounds write during enumeration of upper devices, potentially resulting in stack corruption, arbitrary code execution, data disclosure, or denial of service due to the high impacts on confidentiality, integrity, and availability.

The provided patch references from kernel.org stable branches address the issue by adding a max parameter to get_upper_ifindexes() to enforce bounds checking. If the number of upper devices exceeds the limit, the function returns -EOVERFLOW, causing the redirect operation to abort safely and preventing the out-of-bounds write. Security practitioners should apply the relevant stable kernel updates corresponding to commits such as 5000e40acc8d0c36ab709662e32120986ac22e7e, 75d474702b2ba8b6bcb26eb3004dbc5e95ffd5d2, 88df604f0d16a692867582350ce3f2fcd22243f1, 8a95fb9df1105b1618872c2846a6c01e3ba20b45, and b7bf516c3ecd9a2aae2dc2635178ab87b734fef1.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix stack-out-of-bounds write in devmap get_upper_ifindexes() iterates over all upper devices and writes their indices into an array without checking bounds. Also the callers assume that the max number…

more

of upper devices is MAX_NEST_DEV and allocate excluded_devices[1+MAX_NEST_DEV] on the stack, but that assumption is not correct and the number of upper devices could be larger than MAX_NEST_DEV (e.g., many macvlans), causing a stack-out-of-bounds write. Add a max parameter to get_upper_ifindexes() to avoid the issue. When there are too many upper devices, return -EOVERFLOW and abort the redirect. To reproduce, create more than MAX_NEST_DEV(8) macvlans on a device with an XDP program attached using BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS. Then send a packet to the device to trigger the XDP redirect path.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel stack overflow in BPF devmap enables privilege escalation via crafted XDP redirect with macvlans.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-71137Same product: Linux Linux Kernel
CVE-2026-31772Same product: Linux Linux Kernel
CVE-2026-23378Same product: Linux Linux Kernel
CVE-2026-31494Same product: Linux Linux Kernel
CVE-2025-21735Same product: Linux Linux Kernel
CVE-2025-21650Same product: Linux Linux Kernel
CVE-2024-52319Same product: Linux Linux Kernel
CVE-2024-58003Same product: Linux Linux Kernel
CVE-2026-23343Same product: Linux Linux Kernel
CVE-2026-23092Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
5.15, 7.0 · 5.15.1 — 5.15.203 · 5.16 — 6.1.167 · 6.2 — 6.6.130

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Applying the specified Linux kernel patches directly remediates the stack-out-of-bounds write in the BPF devmap by adding bounds checking and returning -EOVERFLOW when upper devices exceed the limit.

preventdetect

Kernel memory protection mechanisms such as stack canaries and guard pages mitigate the impact of the stack buffer overflow by detecting corruption or preventing exploitation for code execution.

prevent

Restricting or prohibiting unnecessary features like macvlan creation or XDP programs with BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS flags prevents exposure to the vulnerable enumeration path.

References