CVE-2026-23378
Published: 25 March 2026
Summary
CVE-2026-23378 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely application of Linux kernel patches that fix the improper metalist append behavior during IFE action replacements.
Implements memory protection mechanisms such as kernel address randomization and guard pages that limit the impact of slab-out-of-bounds writes from unbounded metalist growth.
Restricts unnecessary kernel networking capabilities like act_ife to least functionality, preventing local attackers from configuring vulnerable IFE actions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel memory corruption vulnerability in act_ife directly provides an out-of-bounds write primitive usable for privilege escalation from low-privileged local context.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: net/sched: act_ife: Fix metalist update behavior Whenever an ife action replace changes the metalist, instead of replacing the old data on the metalist, the current ife code is appending the…
more
new metadata. Aside from being innapropriate behavior, this may lead to an unbounded addition of metadata to the metalist which might cause an out of bounds error when running the encode op: [ 138.423369][ C1] ================================================================== [ 138.424317][ C1] BUG: KASAN: slab-out-of-bounds in ife_tlv_meta_encode (net/ife/ife.c:168) [ 138.424906][ C1] Write of size 4 at addr ffff8880077f4ffe by task ife_out_out_bou/255 [ 138.425778][ C1] CPU: 1 UID: 0 PID: 255 Comm: ife_out_out_bou Not tainted 7.0.0-rc1-00169-gfbdfa8da05b6 #624 PREEMPT(full) [ 138.425795][ C1] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 138.425800][ C1] Call Trace: [ 138.425804][ C1] <IRQ> [ 138.425808][ C1] dump_stack_lvl (lib/dump_stack.c:122) [ 138.425828][ C1] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482) [ 138.425839][ C1] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 138.425844][ C1] ? __virt_addr_valid (./arch/x86/include/asm/preempt.h:95 (discriminator 1) ./include/linux/rcupdate.h:975 (discriminator 1) ./include/linux/mmzone.h:2207 (discriminator 1) arch/x86/mm/physaddr.c:54 (discriminator 1)) [ 138.425853][ C1] ? ife_tlv_meta_encode (net/ife/ife.c:168) [ 138.425859][ C1] kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:597) [ 138.425868][ C1] ? ife_tlv_meta_encode (net/ife/ife.c:168) [ 138.425878][ C1] kasan_check_range (mm/kasan/generic.c:186 (discriminator 1) mm/kasan/generic.c:200 (discriminator 1)) [ 138.425884][ C1] __asan_memset (mm/kasan/shadow.c:84 (discriminator 2)) [ 138.425889][ C1] ife_tlv_meta_encode (net/ife/ife.c:168) [ 138.425893][ C1] ? ife_tlv_meta_encode (net/ife/ife.c:171) [ 138.425898][ C1] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 138.425903][ C1] ife_encode_meta_u16 (net/sched/act_ife.c:57) [ 138.425910][ C1] ? __pfx_do_raw_spin_lock (kernel/locking/spinlock_debug.c:114) [ 138.425916][ C1] ? __asan_memcpy (mm/kasan/shadow.c:105 (discriminator 3)) [ 138.425921][ C1] ? __pfx_ife_encode_meta_u16 (net/sched/act_ife.c:45) [ 138.425927][ C1] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 138.425931][ C1] tcf_ife_act (net/sched/act_ife.c:847 net/sched/act_ife.c:879) To solve this issue, fix the replace behavior by adding the metalist to the ife rcu data structure.
Deeper analysisAI
CVE-2026-23378 is a vulnerability in the Linux kernel's net/sched act_ife component, which handles IFE (IFB Encapsulation) actions for network traffic classification and processing. The issue arises when an IFE action replacement modifies the metalist: instead of replacing the existing metadata, the code appends new metadata, leading to unbounded growth of the metalist. This can trigger a slab-out-of-bounds write error during the encode operation, as evidenced by a KASAN-reported bug in ife_tlv_meta_encode (net/ife/ife.c:168), with impacts including writes beyond allocated memory bounds.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N), as indicated by the CVSS v3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Exploitation involves triggering repeated IFE action replacements that manipulate the metalist, potentially causing out-of-bounds memory access during metadata encoding in functions like ife_encode_meta_u16 and tcf_ife_act. Successful exploitation could result in high-impact confidentiality, integrity, and availability violations, such as kernel memory corruption, denial of service, or privilege escalation.
Mitigation requires applying the relevant upstream patches from the Linux kernel stable repository, including commits such as 56ade7ddea6ce605552341785d08e365c3f61861, 5b1449301ca070814d866990b46f48d3f39ea4ee, 691866c4cca54dc4df762276b49e89b36e046947, 91a89d3bdc2f63d983adc13d1771631663c5dc1b, and cd888c3966672239f2e0707b846a5a936ac9038a. These patches fix the replace behavior by properly integrating the metalist into the IFE RCU data structure, preventing appends and unbounded growth.
Details
- CWE(s)