Bug 2439854 (CVE-2026-23140)

Summary: CVE-2026-23140 kernel: bpf, test_run: Subtract size of xdp_frame from allowed metadata size
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: helengrace.he
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-02-14 16:01:53 UTC 
In the Linux kernel, the following vulnerability has been resolved:

bpf, test_run: Subtract size of xdp_frame from allowed metadata size

The xdp_frame structure takes up part of the XDP frame headroom,
limiting the size of the metadata. However, in bpf_test_run, we don't
take this into account, which makes it possible for userspace to supply
a metadata size that is too large (taking up the entire headroom).

If userspace supplies such a large metadata size in live packet mode,
the xdp_update_frame_from_buff() call in xdp_test_run_init_page() call
will fail, after which packet transmission proceeds with an
uninitialised frame structure, leading to the usual Bad Stuff.

The commit in the Fixes tag fixed a related bug where the second check
in xdp_update_frame_from_buff() could fail, but did not add any
additional constraints on the metadata size. Complete the fix by adding
an additional check on the metadata size. Reorder the checks slightly to
make the logic clearer and add a comment.
Comment 1 Alexander B 2026-02-16 09:42:42 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026021430-CVE-2026-23140-fed3@gregkh/T
Comment 4 Helen Grace 2026-02-25 09:11:38 UTC 
(In reply to Alexander B from comment #1)
> Upstream advisory:
> https://sprunki-retake.io/ https://lore.kernel.org/linux-cve-announce/2026021430-CVE-2026-23140-
> fed3@gregkh/T
Thanks for adding the upstream advisory and updating the classification. Medium severity seems appropriate given the potential for uninitialized frame usage in live packet mode.