CVE-2026-23459
Published: 03 April 2026
Summary
CVE-2026-23459 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 21.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2026-23459 is a vulnerability in the Linux kernel's ip_tunnel subsystem, specifically affecting the iptunnel_xmit_stats() function. This function was not properly adapted to handle NETDEV_PCPU_STAT_DSTATS, as blamed commits overlooked that vxlan and geneve tunnels use udp_tunnel[6]_xmit_skb(), which invokes iptunnel_xmit_stats(). The function incorrectly assumed tunnels only used NETDEV_PCPU_STAT_TSTATS, leading to mismatched @syncp offsets between pcpu_sw_netstats and pcpu_dstats structures. On 32-bit kernels, this could result in corruptions or system freezes due to overwritten syncp sequences.
The vulnerability has a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H), indicating it is exploitable remotely over the network with low complexity, requiring no privileges or user interaction. Attackers can send crafted traffic to affected IP tunnel interfaces, such as vxlan or geneve, triggering the flawed stats update logic. This achieves high availability impact through kernel freezes or data corruptions on 32-bit systems, with low integrity impact but no confidentiality loss.
Mitigation requires applying the upstream kernel patches referenced in the stable repository. The primary fix in commit 0d087d00161f562d5047cc4009bb0c6a19daf9f1 adapts iptunnel_xmit_stats() for NETDEV_PCPU_STAT_DSTATS and repositions pcpu_stat_type near dev->{t,d}stats to avoid cache line misses. A related commit, 8431c602f551549f082bbfa67f3003f2d8e3e132, addresses associated issues in the tunnel handling. Security practitioners should update to kernels incorporating these changes, particularly for 32-bit deployments using vxlan or geneve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-18718
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: ip_tunnel: adapt iptunnel_xmit_stats() to NETDEV_PCPU_STAT_DSTATS Blamed commits forgot that vxlan/geneve use udp_tunnel[6]_xmit_skb() which call iptunnel_xmit_stats(). iptunnel_xmit_stats() was assuming tunnels were only using NETDEV_PCPU_STAT_TSTATS. @syncp offset in pcpu_sw_netstats and pcpu_dstats is…
more
different. 32bit kernels would either have corruptions or freezes if the syncp sequence was overwritten. This patch also moves pcpu_stat_type closer to dev->{t,d}stats to avoid a potential cache line miss since iptunnel_xmit_stats() needs to read it.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote crafted traffic to vxlan/geneve tunnels triggers kernel corruption/freezes via stats offset mismatch (T1499.004 Application or System Exploitation).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires identifying, reporting, and correcting the kernel flaw in iptunnel_xmit_stats() through timely patching to prevent system corruptions or freezes from crafted tunnel traffic.
Scans for vulnerabilities like CVE-2026-23459 in Linux kernel IP tunnel components and remediates them to mitigate remote exploitation risks.
Employs safeguards such as traffic filtering or rate limiting on vxlan/geneve interfaces to protect against denial-of-service from crafted packets triggering stats update flaws.