CVE-2026-23459

Summary

In the Linux kernel, the following vulnerability has been resolved:

ip_tunnel: adapt iptunnel_xmit_stats() to NETDEV_PCPU_STAT_DSTATS

Blamed commits forgot that vxlan/geneve use udp_tunnel[6]_xmit_skb() which call iptunnel_xmit_stats().

iptunnel_xmit_stats() was assuming tunnels were only using NETDEV_PCPU_STAT_TSTATS.

@syncp offset in pcpu_sw_netstats and pcpu_dstats is different.

32bit kernels would either have corruptions or freezes if the syncp sequence was overwritten.

This patch also moves pcpu_stat_type closer to dev->{t,d}stats to avoid a potential cache line miss since iptunnel_xmit_stats() needs to read it.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxbe226352e8dc77d3313c096b2d8e7f69bf6980fc < 0d087d00161f562d5047cc4009bb0c6a19daf9f1affected
LinuxLinuxbe226352e8dc77d3313c096b2d8e7f69bf6980fc < 8431c602f551549f082bbfa67f3003f2d8e3e132affected
LinuxLinux6.14affected
LinuxLinux0 < 6.14unaffected
LinuxLinux6.19.10 <= 6.19.*unaffected
LinuxLinux7.0 <= *unaffected

Weaknesses

References