Cyber Resilience

CVE-2026-23459

High

Published: 03 April 2026

Published
03 April 2026
Modified
26 May 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
EPSS Score 0.0030 21.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-23459 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 21.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-23459 is a vulnerability in the Linux kernel's ip_tunnel subsystem, specifically affecting the iptunnel_xmit_stats() function. This function was not properly adapted to handle NETDEV_PCPU_STAT_DSTATS, as blamed commits overlooked that vxlan and geneve tunnels use udp_tunnel[6]_xmit_skb(), which invokes iptunnel_xmit_stats(). The function incorrectly assumed tunnels only used NETDEV_PCPU_STAT_TSTATS, leading to mismatched @syncp offsets between pcpu_sw_netstats and pcpu_dstats structures. On 32-bit kernels, this could result in corruptions or system freezes due to overwritten syncp sequences.

The vulnerability has a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H), indicating it is exploitable remotely over the network with low complexity, requiring no privileges or user interaction. Attackers can send crafted traffic to affected IP tunnel interfaces, such as vxlan or geneve, triggering the flawed stats update logic. This achieves high availability impact through kernel freezes or data corruptions on 32-bit systems, with low integrity impact but no confidentiality loss.

Mitigation requires applying the upstream kernel patches referenced in the stable repository. The primary fix in commit 0d087d00161f562d5047cc4009bb0c6a19daf9f1 adapts iptunnel_xmit_stats() for NETDEV_PCPU_STAT_DSTATS and repositions pcpu_stat_type near dev->{t,d}stats to avoid cache line misses. A related commit, 8431c602f551549f082bbfa67f3003f2d8e3e132, addresses associated issues in the tunnel handling. Security practitioners should update to kernels incorporating these changes, particularly for 32-bit deployments using vxlan or geneve.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: ip_tunnel: adapt iptunnel_xmit_stats() to NETDEV_PCPU_STAT_DSTATS Blamed commits forgot that vxlan/geneve use udp_tunnel[6]_xmit_skb() which call iptunnel_xmit_stats(). iptunnel_xmit_stats() was assuming tunnels were only using NETDEV_PCPU_STAT_TSTATS. @syncp offset in pcpu_sw_netstats and pcpu_dstats is…

more

different. 32bit kernels would either have corruptions or freezes if the syncp sequence was overwritten. This patch also moves pcpu_stat_type closer to dev->{t,d}stats to avoid a potential cache line miss since iptunnel_xmit_stats() needs to read it.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote crafted traffic to vxlan/geneve tunnels triggers kernel corruption/freezes via stats offset mismatch (T1499.004 Application or System Exploitation).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-31448Same product: Linux Linux Kernel
CVE-2024-57791Same product: Linux Linux Kernel
CVE-2026-23456Same product: Linux Linux Kernel
CVE-2026-31640Same product: Linux Linux Kernel
CVE-2026-31626Same product: Linux Linux Kernel
CVE-2026-31676Same product: Linux Linux Kernel
CVE-2026-31557Same product: Linux Linux Kernel
CVE-2026-43031Same product: Linux Linux Kernel
CVE-2026-23440Same product: Linux Linux Kernel
CVE-2026-31477Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
7.0 · 6.14 — 6.19.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires identifying, reporting, and correcting the kernel flaw in iptunnel_xmit_stats() through timely patching to prevent system corruptions or freezes from crafted tunnel traffic.

preventdetect

Scans for vulnerabilities like CVE-2026-23459 in Linux kernel IP tunnel components and remediates them to mitigate remote exploitation risks.

prevent

Employs safeguards such as traffic filtering or rate limiting on vxlan/geneve interfaces to protect against denial-of-service from crafted packets triggering stats update flaws.

References