CVE-2026-23359
Published: 25 March 2026
Summary
CVE-2026-23359 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Deeper analysis
CVE-2026-23359 is a stack-out-of-bounds write vulnerability in the Linux kernel's BPF (Berkeley Packet Filter) devmap component. The issue arises in the get_upper_ifindexes() function, which iterates over all upper devices (such as macvlans) and writes their interface indices into a stack-allocated array without bounds checking. Callers of this function assume a maximum of MAX_NEST_DEV (8) upper devices and allocate excluded_devices[1+MAX_NEST_DEV] on the stack, but the actual number can exceed this limit, leading to a buffer overflow. The vulnerability is classified under CWE-787 (Out-of-bounds Write) with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this vulnerability by creating more than 8 macvlans on a network device that has an XDP (eXpress Data Path) program attached using the BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS flags, then sending a packet to the device to trigger the XDP redirect path. This causes the stack-out-of-bounds write during enumeration of upper devices, potentially resulting in stack corruption, arbitrary code execution, data disclosure, or denial of service due to the high impacts on confidentiality, integrity, and availability.
The provided patch references from kernel.org stable branches address the issue by adding a max parameter to get_upper_ifindexes() to enforce bounds checking. If the number of upper devices exceeds the limit, the function returns -EOVERFLOW, causing the redirect operation to abort safely and preventing the out-of-bounds write. Security practitioners should apply the relevant stable kernel updates corresponding to commits such as 5000e40acc8d0c36ab709662e32120986ac22e7e, 75d474702b2ba8b6bcb26eb3004dbc5e95ffd5d2, 88df604f0d16a692867582350ce3f2fcd22243f1, 8a95fb9df1105b1618872c2846a6c01e3ba20b45, and b7bf516c3ecd9a2aae2dc2635178ab87b734fef1.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-15336
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix stack-out-of-bounds write in devmap get_upper_ifindexes() iterates over all upper devices and writes their indices into an array without checking bounds. Also the callers assume that the max number…
more
of upper devices is MAX_NEST_DEV and allocate excluded_devices[1+MAX_NEST_DEV] on the stack, but that assumption is not correct and the number of upper devices could be larger than MAX_NEST_DEV (e.g., many macvlans), causing a stack-out-of-bounds write. Add a max parameter to get_upper_ifindexes() to avoid the issue. When there are too many upper devices, return -EOVERFLOW and abort the redirect. To reproduce, create more than MAX_NEST_DEV(8) macvlans on a device with an XDP program attached using BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS. Then send a packet to the device to trigger the XDP redirect path.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel stack overflow in BPF devmap enables privilege escalation via crafted XDP redirect with macvlans.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Applying the specified Linux kernel patches directly remediates the stack-out-of-bounds write in the BPF devmap by adding bounds checking and returning -EOVERFLOW when upper devices exceed the limit.
Kernel memory protection mechanisms such as stack canaries and guard pages mitigate the impact of the stack buffer overflow by detecting corruption or preventing exploitation for code execution.
Restricting or prohibiting unnecessary features like macvlan creation or XDP programs with BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS flags prevents exposure to the vulnerable enumeration path.