FKIE_CVE-2026-23276

Vulnerability from fkie_nvd - Published: 2026-03-20 09:16 - Updated: 2026-03-25 11:16
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: net: add xmit recursion limit to tunnel xmit functions Tunnel xmit functions (iptunnel_xmit, ip6tunnel_xmit) lack their own recursion limit. When a bond device in broadcast mode has GRE tap interfaces as slaves, and those GRE tunnels route back through the bond, multicast/broadcast traffic triggers infinite recursion between bond_xmit_broadcast() and ip_tunnel_xmit()/ip6_tnl_xmit(), causing kernel stack overflow. The existing XMIT_RECURSION_LIMIT (8) in the no-qdisc path is not sufficient because tunnel recursion involves route lookups and full IP output, consuming much more stack per level. Use a lower limit of 4 (IP_TUNNEL_RECURSION_LIMIT) to prevent overflow. Add recursion detection using dev_xmit_recursion helpers directly in iptunnel_xmit() and ip6tunnel_xmit() to cover all IPv4/IPv6 tunnel paths including UDP encapsulated tunnels (VXLAN, Geneve, etc.). Move dev_xmit_recursion helpers from net/core/dev.h to public header include/linux/netdevice.h so they can be used by tunnel code. BUG: KASAN: stack-out-of-bounds in blake2s.constprop.0+0xe7/0x160 Write of size 32 at addr ffff88810033fed0 by task kworker/0:1/11 Workqueue: mld mld_ifc_work Call Trace: <TASK> __build_flow_key.constprop.0 (net/ipv4/route.c:515) ip_rt_update_pmtu (net/ipv4/route.c:1073) iptunnel_xmit (net/ipv4/ip_tunnel_core.c:84) ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847) gre_tap_xmit (net/ipv4/ip_gre.c:779) dev_hard_start_xmit (net/core/dev.c:3887) sch_direct_xmit (net/sched/sch_generic.c:347) __dev_queue_xmit (net/core/dev.c:4802) bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312) bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279) bond_start_xmit (drivers/net/bonding/bond_main.c:5530) dev_hard_start_xmit (net/core/dev.c:3887) __dev_queue_xmit (net/core/dev.c:4841) ip_finish_output2 (net/ipv4/ip_output.c:237) ip_output (net/ipv4/ip_output.c:438) iptunnel_xmit (net/ipv4/ip_tunnel_core.c:86) gre_tap_xmit (net/ipv4/ip_gre.c:779) dev_hard_start_xmit (net/core/dev.c:3887) sch_direct_xmit (net/sched/sch_generic.c:347) __dev_queue_xmit (net/core/dev.c:4802) bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312) bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279) bond_start_xmit (drivers/net/bonding/bond_main.c:5530) dev_hard_start_xmit (net/core/dev.c:3887) __dev_queue_xmit (net/core/dev.c:4841) ip_finish_output2 (net/ipv4/ip_output.c:237) ip_output (net/ipv4/ip_output.c:438) iptunnel_xmit (net/ipv4/ip_tunnel_core.c:86) ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847) gre_tap_xmit (net/ipv4/ip_gre.c:779) dev_hard_start_xmit (net/core/dev.c:3887) sch_direct_xmit (net/sched/sch_generic.c:347) __dev_queue_xmit (net/core/dev.c:4802) bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312) bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279) bond_start_xmit (drivers/net/bonding/bond_main.c:5530) dev_hard_start_xmit (net/core/dev.c:3887) __dev_queue_xmit (net/core/dev.c:4841) mld_sendpack mld_ifc_work process_one_work worker_thread </TASK>
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/6f1a9140ecda3baba3d945b9a6155af4268aafc4
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/834c4f645726a25fd71ea50cdfb5c135f8f95d85
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/8a57deeb256069f262957d8012418559ff66c385
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/b56b8d19bd05e2a8338385c770bc2b60590bc81e
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: add xmit recursion limit to tunnel xmit functions\n\nTunnel xmit functions (iptunnel_xmit, ip6tunnel_xmit) lack their own\nrecursion limit. When a bond device in broadcast mode has GRE tap\ninterfaces as slaves, and those GRE tunnels route back through the\nbond, multicast/broadcast traffic triggers infinite recursion between\nbond_xmit_broadcast() and ip_tunnel_xmit()/ip6_tnl_xmit(), causing\nkernel stack overflow.\n\nThe existing XMIT_RECURSION_LIMIT (8) in the no-qdisc path is not\nsufficient because tunnel recursion involves route lookups and full IP\noutput, consuming much more stack per level. Use a lower limit of 4\n(IP_TUNNEL_RECURSION_LIMIT) to prevent overflow.\n\nAdd recursion detection using dev_xmit_recursion helpers directly in\niptunnel_xmit() and ip6tunnel_xmit() to cover all IPv4/IPv6 tunnel\npaths including UDP encapsulated tunnels (VXLAN, Geneve, etc.).\n\nMove dev_xmit_recursion helpers from net/core/dev.h to public header\ninclude/linux/netdevice.h so they can be used by tunnel code.\n\n BUG: KASAN: stack-out-of-bounds in blake2s.constprop.0+0xe7/0x160\n Write of size 32 at addr ffff88810033fed0 by task kworker/0:1/11\n Workqueue: mld mld_ifc_work\n Call Trace:\n  \u003cTASK\u003e\n  __build_flow_key.constprop.0 (net/ipv4/route.c:515)\n  ip_rt_update_pmtu (net/ipv4/route.c:1073)\n  iptunnel_xmit (net/ipv4/ip_tunnel_core.c:84)\n  ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847)\n  gre_tap_xmit (net/ipv4/ip_gre.c:779)\n  dev_hard_start_xmit (net/core/dev.c:3887)\n  sch_direct_xmit (net/sched/sch_generic.c:347)\n  __dev_queue_xmit (net/core/dev.c:4802)\n  bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312)\n  bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279)\n  bond_start_xmit (drivers/net/bonding/bond_main.c:5530)\n  dev_hard_start_xmit (net/core/dev.c:3887)\n  __dev_queue_xmit (net/core/dev.c:4841)\n  ip_finish_output2 (net/ipv4/ip_output.c:237)\n  ip_output (net/ipv4/ip_output.c:438)\n  iptunnel_xmit (net/ipv4/ip_tunnel_core.c:86)\n  gre_tap_xmit (net/ipv4/ip_gre.c:779)\n  dev_hard_start_xmit (net/core/dev.c:3887)\n  sch_direct_xmit (net/sched/sch_generic.c:347)\n  __dev_queue_xmit (net/core/dev.c:4802)\n  bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312)\n  bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279)\n  bond_start_xmit (drivers/net/bonding/bond_main.c:5530)\n  dev_hard_start_xmit (net/core/dev.c:3887)\n  __dev_queue_xmit (net/core/dev.c:4841)\n  ip_finish_output2 (net/ipv4/ip_output.c:237)\n  ip_output (net/ipv4/ip_output.c:438)\n  iptunnel_xmit (net/ipv4/ip_tunnel_core.c:86)\n  ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847)\n  gre_tap_xmit (net/ipv4/ip_gre.c:779)\n  dev_hard_start_xmit (net/core/dev.c:3887)\n  sch_direct_xmit (net/sched/sch_generic.c:347)\n  __dev_queue_xmit (net/core/dev.c:4802)\n  bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312)\n  bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279)\n  bond_start_xmit (drivers/net/bonding/bond_main.c:5530)\n  dev_hard_start_xmit (net/core/dev.c:3887)\n  __dev_queue_xmit (net/core/dev.c:4841)\n  mld_sendpack\n  mld_ifc_work\n  process_one_work\n  worker_thread\n  \u003c/TASK\u003e"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnet: a\u00f1adir l\u00edmite de recursi\u00f3n de xmit a las funciones xmit de t\u00fanel\n\nLas funciones xmit de t\u00fanel (iptunnel_xmit, ip6tunnel_xmit) carecen de su propio l\u00edmite de recursi\u00f3n. Cuando un dispositivo bond en modo broadcast tiene interfaces GRE tap como esclavos, y esos t\u00faneles GRE enrutan de vuelta a trav\u00e9s del bond, el tr\u00e1fico multicast/broadcast desencadena una recursi\u00f3n infinita entre bond_xmit_broadcast() y ip_tunnel_xmit()/ip6_tnl_xmit(), causando un desbordamiento de pila del kernel.\n\nEl XMIT_RECURSION_LIMIT (8) existente en la ruta sin qdisc no es suficiente porque la recursi\u00f3n del t\u00fanel implica b\u00fasquedas de ruta y salida IP completa, consumiendo mucha m\u00e1s pila por nivel. Use un l\u00edmite inferior de 4 (IP_TUNNEL_RECURSION_LIMIT) para prevenir el desbordamiento.\n\nA\u00f1ada detecci\u00f3n de recursi\u00f3n usando las funciones auxiliares dev_xmit_recursion directamente en iptunnel_xmit() y ip6tunnel_xmit() para cubrir todas las rutas de t\u00fanel IPv4/IPv6, incluyendo los t\u00faneles encapsulados UDP (VXLAN, Geneve, etc.).\n\nMueva las funciones auxiliares dev_xmit_recursion de net/core/dev.h al encabezado p\u00fablico include/linux/netdevice.h para que puedan ser usadas por el c\u00f3digo del t\u00fanel.\n\nBUG: KASAN: pila-fuera-de-l\u00edmites en blake2s.constprop.0+0xe7/0x160\nEscritura de tama\u00f1o 32 en la direcci\u00f3n ffff88810033fed0 por la tarea kworker/0:1/11\nCola de trabajo: mld mld_ifc_work\nRastro de Llamada:\n \n __build_flow_key.constprop.0 (net/ipv4/route.c:515)\n ip_rt_update_pmtu (net/ipv4/route.c:1073)\n iptunnel_xmit (net/ipv4/ip_tunnel_core.c:84)\n ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847)\n gre_tap_xmit (net/ipv4/ip_gre.c:779)\n dev_hard_start_xmit (net/core/dev.c:3887)\n sch_direct_xmit (net/sched/sch_generic.c:347)\n __dev_queue_xmit (net/core/dev.c:4802)\n bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312)\n bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279)\n bond_start_xmit (drivers/net/bonding/bond_main.c:5530)\n dev_hard_start_xmit (net/core/dev.c:3887)\n __dev_queue_xmit (net/core/dev.c:4841)\n ip_finish_output2 (net/ipv4/ip_output.c:237)\n ip_output (net/ipv4/ip_output.c:438)\n iptunnel_xmit (net/ipv4/ip_tunnel_core.c:86)\n gre_tap_xmit (net/ipv4/ip_gre.c:779)\n dev_hard_start_xmit (net/core/dev.c:3887)\n sch_direct_xmit (net/sched/sch_generic.c:347)\n __dev_queue_xmit (net/core/dev.c:4802)\n bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312)\n bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279)\n bond_start_xmit (drivers/net/bonding/bond_main.c:5530)\n dev_hard_start_xmit (net/core/dev.c:3887)\n __dev_queue_xmit (net/core/dev.c:4841)\n ip_finish_output2 (net/ipv4/ip_output.c:237)\n ip_output (net/ipv4/ip_output.c:438)\n iptunnel_xmit (net/ipv4/ip_tunnel_core.c:86)\n ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847)\n gre_tap_xmit (net/ipv4/ip_gre.c:779)\n dev_hard_start_xmit (net/core/dev.c:3887)\n sch_direct_xmit (net/sched/sch_generic.c:347)\n __dev_queue_xmit (net/core/dev.c:4802)\n bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312)\n bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279)\n bond_start_xmit (drivers/net/bonding/bond_main.c:5530)\n dev_hard_start_xmit (net/core/dev.c:3887)\n __dev_queue_xmit (net/core/dev.c:4841)\n mld_sendpack\n mld_ifc_work\n process_one_work\n worker_thread\n "
    }
  ],
  "id": "CVE-2026-23276",
  "lastModified": "2026-03-25T11:16:21.820",
  "metrics": {},
  "published": "2026-03-20T09:16:13.370",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/6f1a9140ecda3baba3d945b9a6155af4268aafc4"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/834c4f645726a25fd71ea50cdfb5c135f8f95d85"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/8a57deeb256069f262957d8012418559ff66c385"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/b56b8d19bd05e2a8338385c770bc2b60590bc81e"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.