Vulnerability-Lookup

GHSA-QF3F-HXV9-HPX7

Vulnerability from github – Published: 2026-03-25 12:30 – Updated: 2026-03-25 12:30

Details

In the Linux kernel, the following vulnerability has been resolved:

tracing/dma: Cap dma_map_sg tracepoint arrays to prevent buffer overflow

The dma_map_sg tracepoint can trigger a perf buffer overflow when tracing large scatter-gather lists. With devices like virtio-gpu creating large DRM buffers, nents can exceed 1000 entries, resulting in:

phys_addrs: 1000 * 8 bytes = 8,000 bytes dma_addrs: 1000 * 8 bytes = 8,000 bytes lengths: 1000 * 4 bytes = 4,000 bytes Total: ~20,000 bytes

This exceeds PERF_MAX_TRACE_SIZE (8192 bytes), causing:

WARNING: CPU: 0 PID: 5497 at kernel/trace/trace_event_perf.c:405 perf buffer not large enough, wanted 24620, have 8192

Cap all three dynamic arrays at 128 entries using min() in the array size calculation. This ensures arrays are only as large as needed (up to the cap), avoiding unnecessary memory allocation for small operations while preventing overflow for large ones.

The tracepoint now records the full nents/ents counts and a truncated flag so users can see when data has been capped.

Changes in v2: - Use min(nents, DMA_TRACE_MAX_ENTRIES) for dynamic array sizing instead of fixed DMA_TRACE_MAX_ENTRIES allocation (feedback from Steven Rostedt) - This allocates only what's needed up to the cap, avoiding waste for small operations

Reviwed-by: Sean Anderson sean.anderson@linux.dev

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2026-23390"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-25T11:16:39Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/dma: Cap dma_map_sg tracepoint arrays to prevent buffer overflow\n\nThe dma_map_sg tracepoint can trigger a perf buffer overflow when\ntracing large scatter-gather lists. With devices like virtio-gpu\ncreating large DRM buffers, nents can exceed 1000 entries, resulting\nin:\n\n  phys_addrs: 1000 * 8 bytes = 8,000 bytes\n  dma_addrs:  1000 * 8 bytes = 8,000 bytes\n  lengths:    1000 * 4 bytes = 4,000 bytes\n  Total: ~20,000 bytes\n\nThis exceeds PERF_MAX_TRACE_SIZE (8192 bytes), causing:\n\n  WARNING: CPU: 0 PID: 5497 at kernel/trace/trace_event_perf.c:405\n  perf buffer not large enough, wanted 24620, have 8192\n\nCap all three dynamic arrays at 128 entries using min() in the array\nsize calculation. This ensures arrays are only as large as needed\n(up to the cap), avoiding unnecessary memory allocation for small\noperations while preventing overflow for large ones.\n\nThe tracepoint now records the full nents/ents counts and a truncated\nflag so users can see when data has been capped.\n\nChanges in v2:\n- Use min(nents, DMA_TRACE_MAX_ENTRIES) for dynamic array sizing\n  instead of fixed DMA_TRACE_MAX_ENTRIES allocation (feedback from\n  Steven Rostedt)\n- This allocates only what\u0027s needed up to the cap, avoiding waste\n  for small operations\n\nReviwed-by: Sean Anderson \u003csean.anderson@linux.dev\u003e",
  "id": "GHSA-qf3f-hxv9-hpx7",
  "modified": "2026-03-25T12:30:24Z",
  "published": "2026-03-25T12:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23390"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/02d209bb018a40dee9eac89e91860253dee9605b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/daafcc0ef0b358d9d622b6e3b7c43767aa3814ee"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f2584f791a10343bdc995ff6ff402db45b95de69"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

CVE-2026-23390 (GCVE-0-2026-23390)

Vulnerability from cvelistv5 – Published: 2026-03-25 10:29 – Updated: 2026-03-25 16:49

Title

tracing/dma: Cap dma_map_sg tracepoint arrays to prevent buffer overflow

Summary

In the Linux kernel, the following vulnerability has been resolved: tracing/dma: Cap dma_map_sg tracepoint arrays to prevent buffer overflow The dma_map_sg tracepoint can trigger a perf buffer overflow when tracing large scatter-gather lists. With devices like virtio-gpu creating large DRM buffers, nents can exceed 1000 entries, resulting in: phys_addrs: 1000 * 8 bytes = 8,000 bytes dma_addrs: 1000 * 8 bytes = 8,000 bytes lengths: 1000 * 4 bytes = 4,000 bytes Total: ~20,000 bytes This exceeds PERF_MAX_TRACE_SIZE (8192 bytes), causing: WARNING: CPU: 0 PID: 5497 at kernel/trace/trace_event_perf.c:405 perf buffer not large enough, wanted 24620, have 8192 Cap all three dynamic arrays at 128 entries using min() in the array size calculation. This ensures arrays are only as large as needed (up to the cap), avoiding unnecessary memory allocation for small operations while preventing overflow for large ones. The tracepoint now records the full nents/ents counts and a truncated flag so users can see when data has been capped. Changes in v2: - Use min(nents, DMA_TRACE_MAX_ENTRIES) for dynamic array sizing instead of fixed DMA_TRACE_MAX_ENTRIES allocation (feedback from Steven Rostedt) - This allocates only what's needed up to the cap, avoiding waste for small operations Reviwed-by: Sean Anderson <sean.anderson@linux.dev>

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/02d209bb018a40dee…
	https://git.kernel.org/stable/c/f2584f791a10343bd…
	https://git.kernel.org/stable/c/daafcc0ef0b358d9d…

Impacted products

Vendor

Product

Version

Linux

Affected: 038eb433dc1474c4bc7d33188294e3d4778efdfd , < 02d209bb018a40dee9eac89e91860253dee9605b (git)
Affected: 038eb433dc1474c4bc7d33188294e3d4778efdfd , < f2584f791a10343bdc995ff6ff402db45b95de69 (git)
Affected: 038eb433dc1474c4bc7d33188294e3d4778efdfd , < daafcc0ef0b358d9d622b6e3b7c43767aa3814ee (git)

Linux

Affected: 6.12
Unaffected: 0 , < 6.12 (semver)
Unaffected: 6.12.74 , ≤ 6.12.* (semver)
Unaffected: 6.18.13 , ≤ 6.18.* (semver)
Unaffected: 6.19 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/trace/events/dma.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "02d209bb018a40dee9eac89e91860253dee9605b",
              "status": "affected",
              "version": "038eb433dc1474c4bc7d33188294e3d4778efdfd",
              "versionType": "git"
            },
            {
              "lessThan": "f2584f791a10343bdc995ff6ff402db45b95de69",
              "status": "affected",
              "version": "038eb433dc1474c4bc7d33188294e3d4778efdfd",
              "versionType": "git"
            },
            {
              "lessThan": "daafcc0ef0b358d9d622b6e3b7c43767aa3814ee",
              "status": "affected",
              "version": "038eb433dc1474c4bc7d33188294e3d4778efdfd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/trace/events/dma.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.12"
            },
            {
              "lessThan": "6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.74",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.74",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.13",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/dma: Cap dma_map_sg tracepoint arrays to prevent buffer overflow\n\nThe dma_map_sg tracepoint can trigger a perf buffer overflow when\ntracing large scatter-gather lists. With devices like virtio-gpu\ncreating large DRM buffers, nents can exceed 1000 entries, resulting\nin:\n\n  phys_addrs: 1000 * 8 bytes = 8,000 bytes\n  dma_addrs:  1000 * 8 bytes = 8,000 bytes\n  lengths:    1000 * 4 bytes = 4,000 bytes\n  Total: ~20,000 bytes\n\nThis exceeds PERF_MAX_TRACE_SIZE (8192 bytes), causing:\n\n  WARNING: CPU: 0 PID: 5497 at kernel/trace/trace_event_perf.c:405\n  perf buffer not large enough, wanted 24620, have 8192\n\nCap all three dynamic arrays at 128 entries using min() in the array\nsize calculation. This ensures arrays are only as large as needed\n(up to the cap), avoiding unnecessary memory allocation for small\noperations while preventing overflow for large ones.\n\nThe tracepoint now records the full nents/ents counts and a truncated\nflag so users can see when data has been capped.\n\nChanges in v2:\n- Use min(nents, DMA_TRACE_MAX_ENTRIES) for dynamic array sizing\n  instead of fixed DMA_TRACE_MAX_ENTRIES allocation (feedback from\n  Steven Rostedt)\n- This allocates only what\u0027s needed up to the cap, avoiding waste\n  for small operations\n\nReviwed-by: Sean Anderson \u003csean.anderson@linux.dev\u003e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-25T16:49:17.786Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/02d209bb018a40dee9eac89e91860253dee9605b"
        },
        {
          "url": "https://git.kernel.org/stable/c/f2584f791a10343bdc995ff6ff402db45b95de69"
        },
        {
          "url": "https://git.kernel.org/stable/c/daafcc0ef0b358d9d622b6e3b7c43767aa3814ee"
        }
      ],
      "title": "tracing/dma: Cap dma_map_sg tracepoint arrays to prevent buffer overflow",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23390",
    "datePublished": "2026-03-25T10:29:02.768Z",
    "dateReserved": "2026-01-13T15:37:46.008Z",
    "dateUpdated": "2026-03-25T16:49:17.786Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-QF3F-HXV9-HPX7

CVE-2026-23390 (GCVE-0-2026-23390)

Tags

Sightings

Nomenclature