PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23459 Linux CVE debrief

A vulnerability in the Linux kernel's IP tunneling subsystem could cause system instability or corruption on 32-bit architectures. The `iptunnel_xmit_stats()` function incorrectly assumed all tunnels use `NETDEV_PCPU_STAT_TSTATS`, but VXLAN and GENEVE tunnels use `NETDEV_PCPU_STAT_DSTATS`. The `@syncp` offset differs between `pcpu_sw_netstats` and `pcpu_dstats` structures. On 32-bit kernels, this offset mismatch can lead to memory corruption or system freezes when the synchronization sequence is overwritten. The issue affects Linux kernel versions 6.14 through 6.19.9, and 7.0 release candidates 1-4. The vulnerability was introduced by commits that modified tunnel statistics handling without accounting for the different per-CPU stat types used by UDP-based tunnels. A fix has been committed to the stable kernel tree that adapts `iptunnel_xmit_stats()` to properly handle both stat types and relocates `pcpu_stat_type` to improve cache locality.

Vendor
Linux
Product
Unknown
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-03
Original CVE updated
2026-05-26
Advisory published
2026-04-03
Advisory updated
2026-05-26

Who should care

Linux system administrators operating 32-bit kernel deployments with VXLAN or GENEVE overlay networking, cloud infrastructure providers using Linux-based tunneling, and organizations running container orchestration platforms that rely on kernel-level network virtualization on affected kernel versions.

Technical summary

The vulnerability exists in `iptunnel_xmit_stats()` which handles per-CPU statistics for IP tunnels. The function was designed assuming all tunnels use `NETDEV_PCPU_STAT_TSTATS` (tunnel stats), but VXLAN and GENEVE tunnels implemented through `udp_tunnel[6]_xmit_skb()` use `NETDEV_PCPU_STAT_DSTATS` (device stats). The `pcpu_sw_netstats` and `pcpu_dstats` structures have different `@syncp` member offsets. When `iptunnel_xmit_stats()` operates on DSTATS-type tunnels, it writes to the wrong memory location, potentially corrupting the sequence counter used for synchronization on 32-bit systems. This can cause either silent data corruption or system freezes. The fix adapts the function to check the stat type and handle both structures correctly, and optimizes cache performance by repositioning `pcpu_stat_type` near the stats pointers.

Defensive priority

HIGH

Recommended defensive actions

  • Apply official kernel patches from the stable tree to affected systems running Linux kernel 6.14 through 6.19.9 or 7.0 release candidates
  • Prioritize patching 32-bit kernel deployments that utilize VXLAN or GENEVE tunneling
  • Verify kernel version and tunnel configuration before applying updates
  • Monitor system stability logs on affected 32-bit systems for signs of memory corruption or unexpected freezes
  • Consider upgrading to kernel 6.19.10 or later when available, which contains the resolved implementation

Evidence notes

CVE published 2026-04-03; modified 2026-05-26. NVD analysis confirms affected kernel versions: 6.14 through 6.19.9, plus 7.0-rc1 through rc4. CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H. Official patches available via kernel.org stable tree.

Official resources

2026-04-03