High

Stack out-of-bounds write in Linux kernel BPF devmap

IdentifiersCVE-2026-23359CWE-121

CVE-2026-23359 is a Linux kernel memory-safety flaw in the BPF devmap/XDP redirect path. The vulnerable logic is in get_upper_ifindexes(), which iterates over upper network devices and stores their interface indices into a caller-provided array without enforcing array bounds. Callers assumed the number of upper devices would not exceed MAX_NEST_DEV and allocated excluded_devices[1+MAX_NEST_DEV] on the stack, but that assumption is invalid because a device can have more than MAX_NEST_DEV upper devices, for example many macvlans. When more entries are written than the stack buffer can hold, a stack out-of-bounds write occurs. The fix adds a maximum-size parameter to get_upper_ifindexes(); if too many upper devices are present, the kernel now returns -EOVERFLOW and aborts the redirect.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful triggering causes kernel stack memory corruption in the networking/BPF path. The documented consequences include denial of service via kernel crash or instability, and because this is a stack out-of-bounds write in kernel context, it may also create conditions for further compromise such as corruption of adjacent stack data. The provided source material specifically confirms availability impact and notes confidentiality/integrity impact in SUSE scoring, but does not provide a verified public statement of reliable privilege escalation or code execution.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by avoiding the specific trigger conditions in the XDP/BPF redirect path: do not use configurations that combine an attached XDP program with BPF_F_BROADCAST and BPF_F_EXCLUDE_INGRESS on devices that may have large numbers of upper devices. Limit or avoid creating more than MAX_NEST_DEV upper devices, such as large numbers of macvlans, on affected interfaces. Restrict who can load/manage BPF/XDP programs and create or reconfigure network devices, since the documented attack vector is local and requires high privileges.

Remediation

Patch, then assume compromise.

Apply a kernel update that includes the fix for CVE-2026-23359. The remediation is the upstream change that adds a max parameter to get_upper_ifindexes(), performs bounds checking on the upper-device index collection, and returns -EOVERFLOW to abort the redirect when the number of upper devices exceeds the allowed limit. Vendor advisories indicate fixed kernel packages were released across multiple SUSE product lines, including versions such as kernel-default 6.12.0-160000.34.1 for SLE 16.0-related products and kernel-default 6.4.0-47.1 / 6.4.0-150700.53.60.1 for certain other supported lines. Reboot after installing the updated kernel.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

LinuxLinux Kerneloperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app

bugzilla suseNews

Jun 26, 2026

1258538 - Enable Rust for Tumbleweed kernel

Referenced as one of many vulnerabilities solved by SUSE security updates; no technical details provided in the content.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity3

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-23359

NVD

nvd.nist.gov/vuln/detail/CVE-2026-23359

MITRE CWE · CWE-121

cwe.mitre.org

Patch

git.kernel.org/stable/c/5000e40acc8d0c36ab709662e32120986ac22e7e

Patch

git.kernel.org/stable/c/75d474702b2ba8b6bcb26eb3004dbc5e95ffd5d2

Patch

git.kernel.org/stable/c/88df604f0d16a692867582350ce3f2fcd22243f1

Patch

git.kernel.org/stable/c/8a95fb9df1105b1618872c2846a6c01e3ba20b45

Patch

git.kernel.org/stable/c/b7bf516c3ecd9a2aae2dc2635178ab87b734fef1

Patch

git.kernel.org/stable/c/ca831567908fd3f73cf97d8a6c09a5054697a182

Patch

git.kernel.org/stable/c/d2c31d8e03d05edc16656e5ffe187f0d1da763d7