Bug 2451261 (CVE-2026-23377)

Summary: CVE-2026-23377 kernel: ice: change XDP RxQ frag_size from DMA write length to xdp.frame_sz
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the Linux kernel, specifically within the `ice` network driver and the eXpress Data Path (XDP) component. This vulnerability arises from an incorrect calculation of the `frag_size` in XDP receive queue information, which can lead to an invalid memory state known as "negative tailroom." A local user can exploit this by manipulating packet sizes and offsets during XDP operations. Successful exploitation can trigger a kernel panic, resulting in a Denial of Service (DoS) for the affected system.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-03-25 11:07:40 UTC 
In the Linux kernel, the following vulnerability has been resolved:

ice: change XDP RxQ frag_size from DMA write length to xdp.frame_sz

The only user of frag_size field in XDP RxQ info is
bpf_xdp_frags_increase_tail(). It clearly expects whole buff size instead
of DMA write size. Different assumptions in ice driver configuration lead
to negative tailroom.

This allows to trigger kernel panic, when using
XDP_ADJUST_TAIL_GROW_MULTI_BUFF xskxceiver test and changing packet size to
6912 and the requested offset to a huge value, e.g.
XSK_UMEM__MAX_FRAME_SIZE * 100.

Due to other quirks of the ZC configuration in ice, panic is not observed
in ZC mode, but tailroom growing still fails when it should not.

Use fill queue buffer truesize instead of DMA write size in XDP RxQ info.
Fix ZC mode too by using the new helper.
Comment 1 Alexander B 2026-03-25 12:28:50 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026032542-CVE-2026-23377-cb04@gregkh/T