CVE-2026-23390
Published: 25 March 2026
Summary
CVE-2026-23390 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Deeper analysis
CVE-2026-23390 is a buffer overflow vulnerability in the Linux kernel's tracing subsystem, specifically the dma_map_sg tracepoint. It occurs when tracing large scatter-gather lists, such as those created by devices like virtio-gpu with large DRM buffers exceeding 1000 entries (nents). This results in dynamic arrays for phys_addrs, dma_addrs, and lengths totaling around 20,000 bytes, surpassing the PERF_MAX_TRACE_SIZE limit of 8192 bytes and triggering a perf buffer overflow warning in kernel/trace/trace_event_perf.c.
A local attacker with low privileges (AV:L/AC:L/PR:L) can exploit this by triggering the tracepoint on large scatter-gather operations. Successful exploitation leads to high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), corresponding to a CVSS v3.1 base score of 7.8 and mapped to CWE-787 (Out-of-bounds Write). This could enable kernel crashes, denial of service, or potential privilege escalation through the buffer overflow.
The provided kernel stable commit references detail the mitigation: capping the dynamic arrays at 128 entries (DMA_TRACE_MAX_ENTRIES) using min() for precise sizing, which prevents overflow while minimizing memory waste for smaller operations. The tracepoint now includes full nents/ents counts and a truncation flag for awareness. Reviewed by Sean Anderson, the patches were refined in v2 per feedback from Steven Rostedt to use dynamic min-based allocation. Security practitioners should apply these stable kernel updates promptly.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-15391
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: tracing/dma: Cap dma_map_sg tracepoint arrays to prevent buffer overflow The dma_map_sg tracepoint can trigger a perf buffer overflow when tracing large scatter-gather lists. With devices like virtio-gpu creating large DRM…
more
buffers, nents can exceed 1000 entries, resulting in: phys_addrs: 1000 * 8 bytes = 8,000 bytes dma_addrs: 1000 * 8 bytes = 8,000 bytes lengths: 1000 * 4 bytes = 4,000 bytes Total: ~20,000 bytes This exceeds PERF_MAX_TRACE_SIZE (8192 bytes), causing: WARNING: CPU: 0 PID: 5497 at kernel/trace/trace_event_perf.c:405 perf buffer not large enough, wanted 24620, have 8192 Cap all three dynamic arrays at 128 entries using min() in the array size calculation. This ensures arrays are only as large as needed (up to the cap), avoiding unnecessary memory allocation for small operations while preventing overflow for large ones. The tracepoint now records the full nents/ents counts and a truncated flag so users can see when data has been capped. Changes in v2: - Use min(nents, DMA_TRACE_MAX_ENTRIES) for dynamic array sizing instead of fixed DMA_TRACE_MAX_ENTRIES allocation (feedback from Steven Rostedt) - This allocates only what's needed up to the cap, avoiding waste for small operations Reviwed-by: Sean Anderson <sean.anderson@linux.dev>
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local low-priv buffer overflow in kernel tracing subsystem directly enables exploitation for privilege escalation (or DoS via crash).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates CVE-2026-23390 by requiring timely application of the kernel patch capping dma_map_sg tracepoint arrays at 128 entries to prevent perf buffer overflow.
Provides kernel memory protections such as KASLR and stack canaries that hinder exploitation of the buffer overflow in the tracing subsystem.
Restricts unnecessary kernel tracing and perf subsystems to least functionality, preventing activation of the vulnerable dma_map_sg tracepoint.