2451261 – (CVE-2026-23377) CVE-2026-23377 kernel: ice: change XDP RxQ frag_size from DMA write length to xdp.frame_sz

Bug 2451261 (CVE-2026-23377) - CVE-2026-23377 kernel: ice: change XDP RxQ frag_size from DMA write length to xdp.frame_sz

Summary: CVE-2026-23377 kernel: ice: change XDP RxQ frag_size from DMA write length to...

Keywords:
Status:	NEW
Alias:	CVE-2026-23377
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-25 11:07 UTC by OSIDB Bzimport
Modified:	2026-03-25 23:19 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-03-25 11:07:40 UTC

In the Linux kernel, the following vulnerability has been resolved:

ice: change XDP RxQ frag_size from DMA write length to xdp.frame_sz

The only user of frag_size field in XDP RxQ info is
bpf_xdp_frags_increase_tail(). It clearly expects whole buff size instead
of DMA write size. Different assumptions in ice driver configuration lead
to negative tailroom.

This allows to trigger kernel panic, when using
XDP_ADJUST_TAIL_GROW_MULTI_BUFF xskxceiver test and changing packet size to
6912 and the requested offset to a huge value, e.g.
XSK_UMEM__MAX_FRAME_SIZE * 100.

Due to other quirks of the ZC configuration in ice, panic is not observed
in ZC mode, but tailroom growing still fails when it should not.

Use fill queue buffer truesize instead of DMA write size in XDP RxQ info.
Fix ZC mode too by using the new helper.

Comment 1 Alexander B 2026-03-25 12:28:50 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026032542-CVE-2026-23377-cb04@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.