CVE-2026-23262 (GCVE-0-2026-23262)
Vulnerability from cvelistv5
Published
2026-03-18 17:41
Modified
2026-03-18 17:41
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
gve: Fix stats report corruption on queue count change
The driver and the NIC share a region in memory for stats reporting.
The NIC calculates its offset into this region based on the total size
of the stats region and the size of the NIC's stats.
When the number of queues is changed, the driver's stats region is
resized. If the queue count is increased, the NIC can write past
the end of the allocated stats region, causing memory corruption.
If the queue count is decreased, there is a gap between the driver
and NIC stats, leading to incorrect stats reporting.
This change fixes the issue by allocating stats region with maximum
size, and the offset calculation for NIC stats is changed to match
with the calculation of the NIC.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 24aeb56f2d38edf1b324bdb4f8bc6faf9f0f540c Version: 24aeb56f2d38edf1b324bdb4f8bc6faf9f0f540c Version: 24aeb56f2d38edf1b324bdb4f8bc6faf9f0f540c Version: 24aeb56f2d38edf1b324bdb4f8bc6faf9f0f540c Version: 24aeb56f2d38edf1b324bdb4f8bc6faf9f0f540c Version: 24aeb56f2d38edf1b324bdb4f8bc6faf9f0f540c Version: 24aeb56f2d38edf1b324bdb4f8bc6faf9f0f540c |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/google/gve/gve_ethtool.c",
"drivers/net/ethernet/google/gve/gve_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f432f7613c220db32c2c6942420daf7b3f2e7d7e",
"status": "affected",
"version": "24aeb56f2d38edf1b324bdb4f8bc6faf9f0f540c",
"versionType": "git"
},
{
"lessThan": "9d93332397405b62a3300b22d04ac65d990b91ff",
"status": "affected",
"version": "24aeb56f2d38edf1b324bdb4f8bc6faf9f0f540c",
"versionType": "git"
},
{
"lessThan": "837c662f47dac43efa1aef2dd433c6b4b4c073af",
"status": "affected",
"version": "24aeb56f2d38edf1b324bdb4f8bc6faf9f0f540c",
"versionType": "git"
},
{
"lessThan": "df54838ab61826ecc1a562ffa5e280c3ab7289a7",
"status": "affected",
"version": "24aeb56f2d38edf1b324bdb4f8bc6faf9f0f540c",
"versionType": "git"
},
{
"lessThan": "9fa0a755db3e1945fe00f73fe27d85ef6c8818b7",
"status": "affected",
"version": "24aeb56f2d38edf1b324bdb4f8bc6faf9f0f540c",
"versionType": "git"
},
{
"lessThan": "11f8311f69e4c361717371b4901ff92daeb76e9c",
"status": "affected",
"version": "24aeb56f2d38edf1b324bdb4f8bc6faf9f0f540c",
"versionType": "git"
},
{
"lessThan": "7b9ebcce0296e104a0d82a6b09d68564806158ff",
"status": "affected",
"version": "24aeb56f2d38edf1b324bdb4f8bc6faf9f0f540c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/google/gve/gve_ethtool.c",
"drivers/net/ethernet/google/gve/gve_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.250",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.250",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.200",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngve: Fix stats report corruption on queue count change\n\nThe driver and the NIC share a region in memory for stats reporting.\nThe NIC calculates its offset into this region based on the total size\nof the stats region and the size of the NIC\u0027s stats.\n\nWhen the number of queues is changed, the driver\u0027s stats region is\nresized. If the queue count is increased, the NIC can write past\nthe end of the allocated stats region, causing memory corruption.\nIf the queue count is decreased, there is a gap between the driver\nand NIC stats, leading to incorrect stats reporting.\n\nThis change fixes the issue by allocating stats region with maximum\nsize, and the offset calculation for NIC stats is changed to match\nwith the calculation of the NIC."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-18T17:41:08.380Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f432f7613c220db32c2c6942420daf7b3f2e7d7e"
},
{
"url": "https://git.kernel.org/stable/c/9d93332397405b62a3300b22d04ac65d990b91ff"
},
{
"url": "https://git.kernel.org/stable/c/837c662f47dac43efa1aef2dd433c6b4b4c073af"
},
{
"url": "https://git.kernel.org/stable/c/df54838ab61826ecc1a562ffa5e280c3ab7289a7"
},
{
"url": "https://git.kernel.org/stable/c/9fa0a755db3e1945fe00f73fe27d85ef6c8818b7"
},
{
"url": "https://git.kernel.org/stable/c/11f8311f69e4c361717371b4901ff92daeb76e9c"
},
{
"url": "https://git.kernel.org/stable/c/7b9ebcce0296e104a0d82a6b09d68564806158ff"
}
],
"title": "gve: Fix stats report corruption on queue count change",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23262",
"datePublished": "2026-03-18T17:41:08.380Z",
"dateReserved": "2026-01-13T15:37:45.990Z",
"dateUpdated": "2026-03-18T17:41:08.380Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…